Flag in flag.php.

We can upload PHP code, which is written to a randomly named file and executed. We can't use a bunch of special characters, and our code can only contain one ., so reading the flag from ../flag.php directly is not going to work.

After running phpinfo() and seeing there are lots of functions disabled, I used get_defined_functions($exclude_disabled=true) to see what is left, and noticed that while preg_replace was disabled, preg_filter was left enabled. I used this build the path to flag.php and simply include it:

include preg_filter("<files>", "flag.php", __DIR__);
echo $flag;

This might've been an unintended solution, because the flag mentioned Lua.