Follow the steps below:

1. Download this VirtualBox appliance.
2. Import the appliance in the VirtualBox. Use "attacker/attacker" credentials to log in. Check for its assigned IPs.
3. Access from a host Internet browser the "/injection.php" on the Web site of the installed machine. That is the starting point of capturing the first flag. Here are some hints:
1. Take a look at the "injection.php" file's contents.
2. The flag lays in a "ctf1.txt" file, whose contents could only be displayed from the Web page.
   
4. When displaying the first flag, you will find out details about the second flag.