I've just participated in a boot2root capture the flag event where I got close to solving an item but couldn't quite get it over the line and want to learn what I could have done differently.
In the event I managed to identify a vulnerable application that would allow me to perform local file inclusion to download any file from the server, but not render it on the page. Typically in this scenario if I can render content to the page I would nc to the web server and write contents to the apache log that I would like PHP to interpret. Since that wasn't the case in this instance (as I could only download files), how could you approach receiving a shell?