TLDR: exploit the RCE vulnerability in DomPDF 1.2. Upload the RCE command in a font file, which gets cached. Accessing the cached file will execute the remote command.

https://meashiri.github.io/ctf-writeups/posts/202306-nahamcon/#stickers

Original writeup (https://meashiri.github.io/ctf-writeups/posts/202306-nahamcon/#stickers).