We are given a PHP interpreter, along with the ability to run arbitrary PHP by sending a POST with a parameter `rce` which would be `eval`d. All interesting (aka useful) functions are disabled (eg: `shell_exec`, `popen`, etc.) using a properly blacklisted `disable_functions` in `disable.ini`. We _are_ given a `Dockerfile` to run a copy of the remote service, so that is nice!
There is a `flag` file, as well as a `readflag` file, which means we need to go from PHP-RCE to actual machine-code-RCE, and then run `/readflag`.
**Full Writeup:** [https://github.com/pwning/public-writeup/blob/master/rwctf2019/pwn_MoP](https://github.com/pwning/public-writeup/blob/master/rwctf2019/pwn_MoP)