💓LoveTok

https://app.hackthebox.com/challenges/lovetok

By pressing on "Nah, that doesn't..." we get redirected to http://IP:PORT/?format=r which indicates to command injection. Starting with a basic command like ls so format=id or format=ls just prints the date in different formats. So we need to escape the routine this can be done with the following payload

${system($_GET[cmd])}&cmd=ls /

Now we can see where the flag is store and get it using cat