> Flag in flag.php.

We can upload PHP code, which is written to a randomly named file and executed. We can't use a bunch of special characters, and our code can only contain one `.`, so reading the flag from `../flag.php` directly is not going to work.

After running `phpinfo()` and seeing there are lots of functions disabled, I used `get_defined_functions($exclude_disabled=true)` to see what is left, and noticed that while `preg_replace` was disabled, `preg_filter` was left enabled. I used this build the path to `flag.php` and simply `include` it:

include preg_filter("<files>", "flag.php", __DIR__);
echo $flag;

This might've been an unintended solution, because the flag mentioned Lua.