There is only one form that accepts a file.
The validation of the file is based on extension so we can try and upload shell.php.jpg image with content like this:
When image is uploaded we see the page like this:
Click on See image and we see a blank page with some strange PHP errors. It's because our "image" expects get param called "0" so let's add one.
and we can see list of directories in the project root. Now it's time to search for flag. Let's check home directory like this:
we see there is only one folder hermit
Let's check that folder:
text/geminiThis content has been proxied by September (ba2dc).