tl;dr:
1. Notice path traversal by `....//`
2. Notice that file extension filter is applied for the whole `query` and not the GET parameter
3. Extract source code

Full writeup: https://github.com/p4-team/ctf/tree/master/2019-11-16-asis-finals/protected_area1

Original writeup (https://github.com/p4-team/ctf/tree/master/2019-11-16-asis-finals/protected_area1).