We can see the description first:
7amamaBook is a social media website where people can sign up and share with each other. It has a bug bounty program and you found a bug and reported it but they refuse to pay you so you want to give them a payback by hacking it.
Then I open the webpage(http://18.104.22.168:8082/bounty.php), I find the web manager post something like this:
We don’t pay for CSRF vulnerability.
This post’s privacy is set to “Only me”
This remind us to update the password of the user 7atata.
And then we get to that page, we find the flag is over there