This was a php challenge where the website would just eval the code you provided in the get request.
At first I thought about using something like system or exec, but those functions and others like shell_exec were disabled.
We can verify that by executing phpinfo(); and checking the functions listed in disabled_function class.
So running any clever system code or something like a shell was out of question.
Also look out for open_basedir in the php configuration you get from phpinfo();. Luckily for us it was set to / so we could explore the file system easily.
Using __DIR__, scandir, we can quickly check which subdirectory the website is running. There was only index.php in /var/www/html.
In the / directory, we will find flag.so and flag.h (along with .dockerenv folder, start.sh) , catting out flag.so (you can use highlight_file) will give the flag as it was hardcoded in the binary.
FLAG : flag{FFi_1s_qu1T3_DANg1ouS}
import requests
url = "http://pwnable.org:19260"
# payload = """echo $s = base64_encode(readfile("../../../flag.so"));"""
# payload = """$f = scandir("/var/www/html");var_dump($f);"""
# payload = """$f = highlight_file('/start.sh');var_dump($f);"""
r = requests.Session()
print(payload)
print()
s = r.get(url+"?rh="+payload)
final = s.text
print(final)
r.close()