The task provide us a website where we can go trought some different outputs:

After testing a bit on that parameter it pointed out that there was a LFI there:

As challenge hints us, and by the way you can reache it from HTTP headers, the server running was nginx so we co ahead find its configuration file:

Now we can see that in “/etc/nginx/sites-enabled/” path there was the sites that nginx enabled to browse.

Opening the default one:

we can see an interesting thing:

location = /secret/flag { root /home; internal; }

path for access the flag is but since its marked with “internal” we aren’t able to access it. We’ll be able to do that trought CRLF in “retpath” parameter

injecting X-Accel-Redirect for bypassing this:

Flag: CTF{6e75d02b8e8329bb4b45c7dabd2e1da2}