tl;dr

• Use DNS Rebinding attack to read flag from /flag endpoint.

Original writeup (https://blog.bi0s.in/2021/12/05/Web/Vulpixelize-HITCONCTF2021/).