Does the DMG’s “Disarm” bypass AC?

In the DMG at pg. 271 the disarm described appears to bypass the defenders AC: it is a contest of attack roll vs. skill. There is no mention of AC being a factor.

So could a L1 human fighter tavern brawler with a shield and no other weapon attack a defender (using the shield as an improvised weapon), declare they are attempting a disarm before damage is rolled, if successful disarm the defender, then grapple as a bonus action and finally move the defender from their just-dropped weapon by 15ft?

Does an artificer’s Spell-Storing Item bypass the need for costly/consumed material components?

Suppose I am an 11th-level Artificer with a +5 intelligence modifier, and I use my Spell-storing Item feature to store Continual Flame, whose material component is "ruby dust worth 50 gp, which the spell consumes". However, it’s not clear whether producing the spell from the item requires this or any components at all:

While holding the object [in which the spell is stored], a creature can take an action to produce the spell’s effect from it, using your spellcasting ability modifier.

The usage of the item appears consistent with the usual rules for casting spells from items: activating the item to cast the spell is an action, but that action is distinct from the "Cast a Spell" action and doesn’t require components. However, if this is the case, it seems that I can use Spell-Storing Item to produce 10 Continual Flame torches (or Arcane Locks) per day without spending any money at all. Does this work as described, or is there some reason that the spell-storing item would require the costly component in order to cast the spell?

Break out or bypass php functions

I’m currently doing an online CTF and I have LFI an can read the source code of the upload function. In there I see the following line:

shell_exec('rm -rf ' . uploads/ . '*.p*'); 

So anytime I upload a .php file, it gets deleted. I tried extensions such as .Php or .PHP but if the extension is not .php, the php code is not executed. It also removes any *.h* file and any .htaccess files.

Is there a way to break out the code so the remove of *.p* file never happens or can I execute .php files without having the file extension being .php?

Update 1: I’m also forced to upload the files by a ZIP-file, the web application automatically unzips the file.

Is running software in Docker an allowable way to bypass FIPS 140-2 issues?

Someone has a service that uses a FIPS non-compatible hash in a protocol signature. When FIPS 140-2 compatibility is enabled on the hosts the service crashes (due to the hash signature being not allowed by the security configuration of the host). A way to get around this is to put the service in a Docker container on the FIPS compatible host. It works, but is it ok from a FIPS compatibility point of view? If not, why?

Bypass ASLR in buffer overflow

Iam new in buffer overflow and i have some questions :

0- Is all dll files in windows are loaded at memory or some of them only , If some of them , Who tell windows to load this and leave this

1- How an .exe program know a dll’s functions memory location , after it (program) became an exe file (0,1) // While ASLR is enabled and location changed every time windows reboot

2- Why we didn’t use it’s method to find a (call/jmp esp)’s location in buffer overflow when ASLR is enabled

3- I want a resources to study basics of how os work and reverse engineering that I need for a (pentester) not a malware analyst or reverse engineer

Can movement spells that don’t specify they are teleportation bypass Forcecage?

Forcecage states:

A creature inside the cage can’t leave it by nonmagical means. If the creature tries to use teleportation or interplanar travel to leave the cage, it must first make a Charisma saving throw.

Despite external opinions about how the spell should work, is it correct to read the RAW interpretation that magical effects such as Tree Stride or Transport via Plants are capable of bypassing the saving throw as they don’t specify they are teleportation?