In this challenge we are given a file hosting service. We can upload a zipped file, and the application provides the extracted files for download.
We found a comment in the HTML source, that shell_execute has been used. We tried to upload a zip file, with a symbolic link to /var/www/html/index.php, and we were able to download the source code. The next idea has been, to download /etc/passwd for further information.
ln -s /etc/passwd passwd
zip --symlinks -r passwd.zip passwd
There it is: