Plaid Drive has a file uploader and file viewer.
You can share a file after uploaded it.
When you share the file, new url is generated as below: https://www.plaiddrive.com/view_shared_file/NjUxOjI0ZWZkOWYwNWU4MGI0NDkyNGVlNjY4MWI5ZjUxNTY0NDNhNDlkNDEzOGFjMjdiYWIyZDY0NmMyM2U1NmZlMzE%3D/foo
This share page contains iframe and it's src attribute is like that: https://uc.plaiddrive.com/f/e2868864b14a1297ad97b22e29f3fe487eab7016b5f91c159ea57e61262a24c1/651/foo
I thought e2868864b14a1297ad97b22e29f3fe487eab7016b5f91c159ea57e61262a24c1 is a hash to view the file,
and we need to get the hash to view admin's flag.txt.
Also, 651 is user id of the owner of the file and foo is a filename.
I conduct some investigation about the hash and found that it is not changed if the viewer (not the owner of the file) and the filename are the same.
So, user can see the any owner's shared file foo by using the same hash.
https://uc.plaiddrive.com/f/e2868864b14a1297ad97b22e29f3fe487eab7016b5f91c159ea57e61262a24c1/1/foo
https://uc.plaiddrive.com/f/e2868864b14a1297ad97b22e29f3fe487eab7016b5f91c159ea57e61262a24c1/2/foo
https://uc.plaiddrive.com/f/e2868864b14a1297ad97b22e29f3fe487eab7016b5f91c159ea57e61262a24c1/3/foo
...
Then, how about flag.txt ?
I create flag.txt by myself and get the hash.
Then, I tried to get admin's flag.txt and found that admin's id is 5.
PCTF{good_job_shotting_web_and_puttin_origins_in_origins}
sweet~!