[Web] Pillow Fight

The following challenge description has been given:
lol it didn't load
Below is the landing page:
lol it didn't load
We can also see access the Swagger UI for the available APIs.
lol it didn't load
Since it accepts “eval_command”, we imagine that it’s going to be inserted in an actual eval() python command. So we treat the img1 as an actual variable. We can then substitute this into an actual payload where we can use __import__('os')... syntax. As can be seen below, we have tried executing it in place of img1.
lol it didn't load
We received a shell and it’s already root! We also got the flag afterwards.
lol it didn't load
lol it didn't load