Same page as TangledWeb
After solving Tangled Web, we get a hint:
Going to `http://fun.ritsec.club:8007/devsrule.php` and get the following message:
Not what you input eh?
This param is 'magic' man.
The 2 keyswords here are **input** and **magic**.
Fiddling with the `?magic=` parameter, I tried different LFI. The one that worked was `php://input`.
If you do a POST request to `http://fun.ritsec.club:8007/devsrule.php?magic=php://input` with PHP code as the POST payload, we have PHP Code Execution.
There is an interesting file called `JokersSomeSortaHack`. Inside, there is an RSA key. This hinted me to a user we can connect to with that RSA key. I got the `/etc/passwd` file.
The `joker` user looks interesting. After looking inside its directory, we find a `flag.txt` file which we can read: