Rating:
> Flag in flag.php.
We can upload PHP code, which is written to a randomly named file and executed. We can't use a bunch of special characters, and our code can only contain one `.`, so reading the flag from `../flag.php` directly is not going to work.
After running `phpinfo()` and seeing there are lots of functions disabled, I used `get_defined_functions($exclude_disabled=true)` to see what is left, and noticed that while `preg_replace` was disabled, `preg_filter` was left enabled. I used this build the path to `flag.php` and simply `include` it:
include preg_filter("<files>", "flag.php", __DIR__);
echo $flag;
This might've been an unintended solution, because the flag mentioned Lua.