$ curl -s "http://oldboy.afilmywap.com/watch.php?movie=php://filter/convert.base64-encode/resource=inc/config.php"
If we try an invalid name we get a generic error page, but we notice that the script the value of $movie – it directly concatenates it inside an include . oldboy afilmywap
The challenge is hosted on the public site afilmywap.com . It looks like a small movie‑streaming portal with a “Watch Now” button for each film. The goal is to obtain the flag that is hidden somewhere on the server (usually in /root/flag.txt or a similar location). $ curl -s "http://oldboy
The response contains a long Base64 string. Decoding it: oldboy afilmywap
For a high-quality and secure viewing experience, it is recommended to use official streaming services: