As we can see it's a normal page with form but It has internal servers that can only be accessed from the local server
As we can see there is an image not loading and we can only see the alt text so let's try another server
Same thing happens in all servers still we cannot see anything except image alt text.
So let's try to exploit the form with php filter vulnerability exploit
let's use some codes on the "server" parameter like php://filter/convert.base64-encode/resource=internalapi4.local/../index.php
We still can only see unloaded image with alt text showing
But let's try intercepting the request using burpsuite and send the request to repeater
We still cannot see anything strange except that image name is encrypted as md5
I tried to decrypt it but I couldn't so let's try to intercept the request to it
And I Got This
As we can see we have got a big hash it looks like a base64 hash let's send it to the decoder and choose decode as base64
We got php and html code let's take this code to any text editor (I will use sublime) text and try to analyze it
After sometime of searching I realised the "$jpeg" variable it has a value of "Server!Host@Flag", and as we can see the challenge description says that the flag is the front server hostname