Rating:

We are given a PHP interpreter, along with the ability to run arbitrary PHP by sending a POST with a parameter rce which would be evald. All interesting (aka useful) functions are disabled (eg: shell_exec, popen, etc.) using a properly blacklisted disable_functions in disable.ini. We _are_ given a Dockerfile to run a copy of the remote service, so that is nice!

There is a flag file, as well as a readflag file, which means we need to go from PHP-RCE to actual machine-code-RCE, and then run /readflag.

Original writeup (https://github.com/pwning/public-writeup/blob/master/rwctf2019/pwn_MoP).