4chan attack explained:

the attacker created a "foo.pdf" file that actually was a Postscript file.

This file contained an exploit that exists in old Ghostscript versions.

4chan is using Ghostscript from 2011.

The malformed PDF file was uploaded to /tg/

Since it was a .pdf file, the upload was accepted and the backend ran an operation to sanitize the file.

This operation involved shelling out to Ghostscript using a the command line, and giving the filename to the malformed PDF file as an argument.

Since Ghostsciript can work with both PDF and Postscript files, and the malformed PDF file had a Postscript MIME header, the command executed successfully and the payload was delivered.

I'm not sure how the final access was obtained but my guess is an ssh key was injected into root's homedir or something. It's BSD 10.1 which has been out of service since 2017 so there are basically infinite ways to escalate privilege from here.