So I am currently on the the last part of the SQL Injection Fundamentals module and I have been trying multiple ways to solve it.
As I understand it, my goal is to write a web shell into the base web directory so I can get RCE to find the flag in the root directory. However, I get permission denied whenever I try to write my php shell to the default web directory location: var/www/html. This makes me think that there must be other web directory locations which I should try. Also, I am able to write my php shell to other locations such as /var/lib/mysql or /tmp, but I don't know how to make the server read the shell using that approach.
Some hints would be very much appreciated!
Update: I just got help solving it by user Nucrea. The solution to the problem exists in the url after first SQL Injection into the page.