Rules of the game

Your mission

Your mission, should you choose to accept it, is to uncover three hidden flags. Each flag is a secret message containing additional, exclusive submission instructions for your application. Following these instructions is the only proof that you’ve found them.

The flags are planted behind web vulnerabilities. Spot those vulnerabilities and the flags will reveal themselves to you.

What not to do

All the information you need to start looking for the vulnerabilities is contained in this page. Do not search outside this page, e.g., in the rest of the website.

To keep things fair and fun, here are a few rules to play by:

• Everything you need is right here on this HTML page. No need to visit/reverse other parts of the website.
• Play nice with the server: no brute-forcing or poking around outside the challenge zone.
• No automated tools allowed! This means no recon tools, no web app scanners, no fuzzers for XSS or SQL injection.
• Keep the flags for yourself! These are your challenges to solve and your victory to earn.

Failure to adhere to these rules may result in disqualification.

Final words

This challenge may seem daunting, but I encourage you to do it! Stay curious (always look around to clues and hints) and don't hesitate to think outside the box. Even if you don't succeed, I would like to hear your thoughts and ideas about this challenge.

Have fun!