The challenge downloads contained the server’s Dockerfile and Flask server script.
The server accepted an image in a POST request and echoed a resized version of the same image.
The Dockerfile builds upon the base image vulhub/ghostscript:9.23-python which is an intentionally vulnerable container image having an older version of the Pillow library (CVE-2018-16509).
Quick google leads us to the vulhub GitHub repository containing information about the CVE and a convenient exploit payload i.e a JPG image with Ghostcript containing RCE. I modified the RCE to open up a reverse shell to my server and found the flag inside the sqlite database for the app server.