变量覆盖

 <?php if ($_SERVER["REQUEST_METHOD"] == "POST") { ?>
                        <?php
                        extract($_POST);
                        if ($pass == $thepassword_123) { ?>
                            <div class="alert alert-success">
                                <code><?php echo $theflag; ?></code>
                            </div>
                        <?php } ?>

extract() 函数从数组中将变量导入到当前的符号表。

所以可以进行覆盖

nctf{bian_liang_fu_gai!}