Use the filter + base64 LFI method to leak source code. Then, we see that we can still force the application to deserialize the legacy version of the cookie, which is still vulnerable. With a sqli on the cookie, you can figure out the flag character by character.

Original writeup (https://www.willsroot.io/2019/10/some-picoctf-2019-crypto-and-web-writeups.html).