Try to bypass the client-side file type validations in the above exercise, then upload a web shell to read /flag.txt (try both bypass methods for better practice)
Modifying using Burp repeater the filename of the sent file, then accessing: http://94.237.122.36:41845/profile_images/test.php?cmd=id
→ HTB{cl13n7_51d3_v4l1d4710n_w0n7_570p_m3}