Combination of a local file inclusion bug and a file write bug. Firstly, the user/loader.php and /user/index.php pages had some interesting code where it would take a scripts GET parameter to construct an include path in PHP. They try to prevent the abuse of this vector by checking for .. strings in the parameter using stristr() (case insensitive strstr()). The problem is, certain characters like %00 are ignored when processing the include, and will bypass the stristr() check since the length is different. This allowed them to install an API key that grants them full API access.

The second bug was in the add_server endpoint they could now access with their API key, which wrote a DHCP string into a local text file. PHP could be written here, and by chaining again with the LFI, it was possible to include arbitrary PHP and achieve RCE.