(Note: I wasn’t able to solve this challenge during the CTF, but I solved it afterwards) The challenge description gives us a webserver address and a text, that we should use only the php inbuilt functions to get the /flag and show the webmaster that the php builtin functions are insecure as well. Upon loading the website address, we are immediately greeted with an image as well as - presumably - the code for the index.