tl;dr

• Upload log configuration file and exploit path traversal to gain RCE

tl;dr

• Create a note with meta redirect tag to get callback.
• Leak the flag using search functionality.

tl;dr

• Use DNS Rebinding attack to read flag from /flag endpoint.