After looking at the code from previous chal - Date 1, I recognized that there is another \$flag variable has not been leaked.
At this time, we can not leak it by some trick from "date" command anymore. There is only way to get it is make this condition to be true
$date = "Sunday April 1st 2018. 2018-04-01";
$res === $date && (strpos($fmt, 'easter') != false || preg_match('/[0-9]/', $fmt) == 0)
That mean the result parse from format pattern must be "Sunday April 1st 2018. 2018-04-01" and (the string "easter" in fmt or no number in \$fmt).
Date time format can be like this:
"%A %B %-dst %Y. %Y-%m-%d"
But we need change the date to 01/04/2018 with string "easter" in fmt variable or no number in fmt variable.
After 30 mins search for something with "easter" in argument "--date", i just found something from another command: "ncal", but we can not inject here.
Later, I give up with searching anything and focus on "date --help" command, at the end of it, I recognized that we can use --date="next Fri" to get the date of next Friday from now.
Hmm, and I try again with "yesterday yesterday" and got "two day from now"; "last month last month" I get "two month from now".
Now everything is solved!
Today is 09/10/2017 from my timezone (UTC+7), so 8 days ago is day 01, and 6 months ago is month 04, and next year is 2018
At last, the url become like this:
[http://188.8.131.52:5675/index.php?fmt="%A %B %-dst %Y. %Y-%m-%d" --date="yesterday yesterday yesterday yesterday yesterday yesterday yesterday yesterday last month last month last month last month last month last month next year"](http://)
Please note that i wrote this at my timezone, it will be different from any of you which have other timezone!
Just change something and magic will happen!
Here come the flag: