1. bypass filter for `eval("return $_")` with `~` (not) operator 2. abuse PHP FindFirstFile on Windows to read `c<<` aka `config.php` 3. blind SSRF time-based SQL Injection with sqlmap and customized Gopherus
Original writeup (https://movrment.blogspot.com/2019/10/balsn-ctf-2019-web-warmup.html).
