tl;dr:

1. Upload .htaccess to enable php execution in html
2. Upload shell
3. Use proc-open to run shell command and recover the flag

Full writeup here: https://github.com/p4-team/ctf/tree/master/2017-12-09-seccon-quals/web_automatic

Original writeup (https://github.com/p4-team/ctf/tree/master/2017-12-09-seccon-quals/web_automatic).