navigating to 127.0.0.1:20055, we are met with a page for "Grant's Secure File Upload Server".

As the page states that the flag is located at root, a shell will likely be needed to access the root folder and as the website uses php, a php reverse shell would be a safe bet.

cp /usr/share/webshells/php/php-reverse-shell.php

Change the $ip to the local IP address of the attacking machine, as the targets are on the same network.

Choose an available port. 443 was used as it is usually available for web shells.

Now we have created our shell, we need to find a way to upload it.

The source code for upload.php shows that many php file extensions have been blocked. We will need to use a different extension to bypass the block.

Changing the file extension from php to php12 worked to bypass the block.

However, when attempting the access the file, we are now met with the source code being printed to the page rather than being executed by the server.