I am sharing a writeup for a decent webtask from WMCTF 2022 that I played alongside with my team SOter14 (Ranked 1st now in my home country Tunisia on CTFtime). I chained Local File Inclusion (LFI)>> Server Side Request Forgery (SSRF)>> Remote Code Execution (RCE) with blind os command injection. Also, got an alternative PoC for the recent CVE-2022-33891.

MojoJs Server Site Template Injection + filter bypass >> Remote Code Execution.