1. get to know about /register.php from /robots.txt
2. Do Post Auth RCE on upload user profile picture functionality with "shell.php.png" as your payload file name.

Original writeup (https://blog.shoebpatel.com/2020/03/23/FireShell-CTF-2020-Write-up/).