Full video can be found at [https://www.youtube.com/watch?v=NaWurMWUlvc](https://www.youtube.com/watch?v=NaWurMWUlvc) (~ 4mins).

#### Find the vulnerability as black-box
Notice `show.php?filename=<something>` just dumps the content of file as base64 as the image source.

#### Exploit it to download the backend source code
Download the backend source code for files: `../show.php`, `../index.php` and `../upload.php` by providing the filename as the GET parameter via `show.php` and base64 decoding.

#### Find vulnerability as white-box using source code
Notice `@include` inside `show.php`, which means we can execute any upload php file irrespective of the file extension. So create a simple PHP page which take a text field as input, execute `system` command on the server side and returns the output.

#### Exploit it to gain shell access on the server.
Save your php exploit script as `.jpg` and upload it on the server.

Now, we have the access to the server and can simply navigate.

#### Find the flag
The flag can be found easily under home directory now.