Since I was the Tor use/promoter and has a Tor sticker on my laptop, I was the one in charge of this challenge.
A new black market has appeared and has been targeted by the FBI. After checking for suspicious posts on stackoverflow and finding nothing, they give up and are offering a bounty to anyone who can get information on the server that is hosting the hidden service.
The url was http://mq72g4732yorslzf.onion/
It's a Tor hidden service, for a black market.
We were authorised to change our avatar, either by providing, an image from our computer, or from an url. The image is then encoded in base64, and displayed by the mean of data:image/gif:base64,...
I tried to include http://mq72g4732yorslzf.onion/flag.php, or index.php, or config.php, or ...
Then I realised that the admin may have been lazy, and didn't set up the server to resolve Tor domains. I included 127.0.0.1:80, and tadaaaaa:
This is what the unbase64 file looks like:
Flag: 0hSh1t1r4n0ut0fn00dl35