The website shows us an image saying the image can not be found or hot linking is forbidden.
By watching HTTP headers during the page loading, we can see an unusual header : ‘Debug: –‘.
With some tests we understood it was containing ‘–<header http referer>’, but why this dash at the beginning?
Logically, we put as referer http://challenge.cybercamp.es:8084/gallery/, because it seems to be the base URL of the gallery: when we try to load this folder, we got a “gallery not available” message.
Obviously, it would have been too easy, putting this referer doesn’t give the flag.
After trying to put a lot of strings in this unusual header (actually almost other headers), an idea came to us: and if we had to pass something in the URL?
The base URL is ‘gallery/image.php?image=8123914′, but 8123914 doesn’t seem to be an image name. Maybe this GET parameter isn’t the name of the file, but only an ID?
Changing the URL by gallery/image.php?id=8123914 with http://challenge.cybercamp.es:8084/gallery/ in the Debug referer gave us the flag.