Could this have been harder to do if the insecure server inspected the HTTP content-type and response body in the response? Something like this (psuedo-code):

  if response.content_type =~ /image-/i && !plain_text?(response.body)
    pass
  else
    fail!()
  end

I'm a bit confused by this:

> The challenge has kubernetes logo on the bottom of the page like the screenshot below, and the IP is 35.241.245.36.

> I immediately realized that is a GCP machine, so I tested the backend server by sending HTTP request to my server to see if it is also on GCP, and it is.

What about the IP address or k8s logo made you realize it was a GCP machine?

SSRF should be well known to anyone familiar with web app vulnerabilities, and PostScript is a programming language that's been around since 1982. Not exactly arcane terms. And noxCTF can reasonably be assumed to be a security CTF competition, even if you aren't familiar with the specific CTF.

> When I was play noxCTF 2018, I saw a challenge named PSRF, then I thought that might be SSRF, PostScript, or both.

Wow, talk about having no context! You need to do at least three Google searches just to parse the first sentence.

EDIT: Realized my comment was not constructive. For context, might be helpful to make some of the acronyms into links!

> When I was play noxCTF 2018, I saw a challenge named PSRF, then I thought that might be SSRF, PostScript, or both.

Wow, talk about having no context! You need to do at least three Google searches just to parse the first sentence.

EDIT: Realized my comment was not constructive. For context, might be helpful to make some of the acronyms into links!