The password-reset token is simply the base64 encoding of the username. Encoding ‘admin’ and passing it as the token query parameter triggers the admin password change flow and reveals the flag.
The /get_flag.php endpoint immediately redirects the browser to a Rick Astley video. Disabling redirect following in requests reveals the 302 response body which contains the flag.
The homepage appears empty, but the flag is embedded in an HTML comment or inside one of the linked static files (CSS or JS). Fetch each resource and grep for the flag pattern.
The server reads a base64-encoded JSON cookie containing an ID field and passes it unsanitised into a SQL query. Inject a UNION SELECT payload inside the JSON, re-encode as base64, and set the forged cookie to extract the flag in three phases.
Filter Ethernet frames with EtherType 0xffff — the custom protocol used by this challenge — collect the destination MAC address from each matching frame, interpret the first two hex bytes as ASCII, and concatenate to reveal the flag.
The server compares the submitted flag character-by-character and returns a response proportional to how many correct characters were prefixed. Measure elapsed time per candidate character and pick the one with the longest response time to recover the flag byte by byte.
A POST endpoint executes a shell command with user-supplied input but filters spaces, the word ’echo’, and other shell metacharacters. Bypass with ${NULL} (strips to nothing) and ${IFS} (the internal field separator, expands to a space in bash).
The server issues session tokens that are predictable or reusable. Requesting the site twice, comparing the Set-Cookie headers, and identifying the pattern allows forging or reusing an admin-level token.
Navigate a DNS-based labyrinth by following CNAME records in four compass directions (up/down/left/right) and reading TXT records until one contains the flag. Depth-first search with a visited set prevents loops.
A sorted word list and a known sequence of binary-search response sizes pin down a unique word character by character. Reconstruct it by matching the precounted word counts at each prefix level.