It's a bit tricky and nice CTF challenge.

http://66.228.53.87:9001/query?data=

after checking that url with " we get error and googling the error gave us that the site is running influxDB.

So, checked influxdb vulnerablities on Google and got this blog https://rafa.hashnode.dev/influxdb-nosql-injection.

After reading that blog crafted a noSQL injection payload and extracted the bucketname, and the bucket name is flag.

http://66.228.53.87:9001/query?data=")+|>+yield(name%3a+"1337")+buckets()+|>+filter(fn%3a+(r)+%3d>+r.name+%3d~+/^K.*/+and+die(msg%3ar.name))+//