Task 4. Payload

1. On the main page there is a button, when you click on it you get information about the system.
2. Fuzzing the parameter btn did not give us anything. That’s sad, but is not the reason to give up!
3. Find robots.txt file. We see there source code index.php
4. In the source code we see that the script takes value from the GET parameter and executes it through the command system.
5. Let's take advantage of the found vulnerability and print the source code of the script index.php - cat index.php.

Flag: VishwaCTF{y0u_f-o-u-n-d_M3}.