Follow Me [100]

Let's start here. https://7aimehagbl.neverlanctf.com

Recon

curl -i https://7aimehagbl.neverlanctf.com/
HTTP/2 302 
server: nginx
date: Sat, 08 Feb 2020 16:58:57 GMT
content-type: text/html; charset=UTF-8
location: http://zesnh7ir95.neverlanctf.com
strict-transport-security: max-age=31536000; includeSubDomains; preload

Redirecting you to zesnh7ir95.neverlanctf.com

Let curl follow all the redirects:

curl -iL https://7aimehagbl.neverlanctf.com/ --max-redirs 99999

At the same time log the requests with Wireshark. Let it go on for a while, then filter the results in Wireshark:

(ip.src == 159.65.75.153) && (data-text-lines)

All lines are 406 in length, which are the redirects, except the lines which contain the flag, those are 557 in length:

Line-based text data: text/html (8 lines)
    <!doctype html>\n
    <html>\n
    \t<head><title>Wait.</title></head>\n
    \t<body>\n
    \t\t<h1>Welcome</h1>\n
    \t\t<p>flag{d0nt_t3ll_m3_wh3r3_t0_g0}</p>\n
    \t</body>\n
    </html>\n

Flag

flag{d0nt_t3ll_m3_wh3r3_t0_g0}