Used a lot of time to figure out the meaning of 2 images, but also no clues.

So went to revisit the OSINT question of Tenable CTF last year and found it’s quite easy. It also provides a thinking to solve: use google to search “Tenable” with the description of the image(should be a name of vulnerabilities), and the flag should be hiden in one of those Tenable blogs.

After few attempts, found “homer spring” and “4 shells” should combine to spring4shell, then find this article from Google.

https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability

The flag is hiden in source code.