When inspecting the source code of the page implementing the uploaded file, it can be seen, that it is included via an HTML Object Tag along with a GET Parameter of the sesson ID of the User who views the file.
As there is a `Content-Security-Policy: script-src 'none'` header set, it is virtually impossible to steal the session by executing JavaScript.

A simple IMG tag did the job as the `HTTP_REFERER` header contained the session ID of the admin.
It is necessary to send the header to our own server and retrieve the session ID:

exploit.html:

``````

takedata.php:
```

```
takedata.php simply writes the `$_SERVER` array to a file. The session ID can be retrieved from there.
After the own session is replaced with the admin session, the flag can be seen in the file `flag.txt` as linked to in the main page.