tl;dr:

• Endpoint with an sql injection supporting stacked queries with mariadb
• use LOAD_FILE() to get source of php script where has a secret password that gives more info
• use INTO DUMPFILE to upload a custom mariadb plugin that spawns a reverse shell
• create mysql.plugins table which is missing
• install plugin
• get reverse shell
• notice that mariadb client has cap_setfcap=ep capabilities set
• upload a client side mariadb plugin that sets cap_dac_override=ep on a file of our chosing (like a copy of cat)
• read the flag stored in /flag

See https://blog.bawolff.net/2023/10/ctf-writeup-n1ctf-2023-ezmaria.html for full details and explanation

Original writeup (https://blog.bawolff.net/2023/10/ctf-writeup-n1ctf-2023-ezmaria.html).