The given site has a simple form that allows us to upload a file, and after uploading gives us a file name with the extension of the file we uploaded. With some simple recon we can see that the server is running on PHP and IIS (which is known for being buggy) and we have a route pic.php?filename=default.jpg:

The pic route shows the width and height of an uploaded file with GET param filename, with the filename we got back after uploading. Since we can fully control this param and we also have file upload, and with the problem description clearly indicates Get shell !, it is clear that we should upload a PHP shell to get flag. We can control the extension of uploaded file, but the server will block files with .php extension. This can be easily bypassed since Windows filename are not case sensitive, so .Php file is still interpreted as a PHP file. Another problem is that we don't know where our files are placed on the server. We can abuse pic.php?filename= route to leak path information. There is a trick when performing LFI with FastCGI on IIS that the < character behaves like a * wildcard (detailed in https://soroush.secproject.com/blog/2014/07/file-upload-and-php-on-iis-wildcards/). Let's use it to disclose our file upload subfolder:

gist.github.com

Now that we know where our files are uploaded to, we can upload a simple PHP script to read flag.php in the root directory:

<?php print_r(file_get_contents('../flag.php')); ?>