It says that the wrapper wraps the same php file as above.
flag09 is the wrapper file with SUID is set to lend permission for flag09.php.
flag09.php is an echo program with two parameters. The first parameter is the file path, which opens the file and prints its contents.
PHP's preg_replace() function is vulnerable about command injection. Here, this function finds a string of the form [email xxxxx] in $contents and changes the xxxxx to the return value of spam() function. The "/e" flag is used. This has a feature that recognizes the second argument as php code and executes it.
\n means backreference in regular expression. Here, \2 means to select the second group among the groups filtered by the regular expression. That is xxxxx.
※ Learn more regular expression(Link)
Since the return value of spam() is used, [email system(getflag)] is simply treated as a string as above image. Therefore, it should be packaged so that it can be recognized by code.
The identified packaging methods are as follows.
[email ${@system(getflag)}]
[email {${system(getflag)}}]
[email {${exec(getflag)}}]
※ This is part of code injection attack. Do you know about it all(Link)?
The flag obtained successfully.