This was a website where you could click a button to request the flag. Intercepting the request with burp, we realize that an argument “auth” is sent along with the other parameters. Simply setting the value of “auth” to 1 grants us access to the flag.




Visiting the website:


Checking the box and clicking submit to request the flag, we get a “Not Authorized” message, as expected:

Not Authorized

Intercepting the request with Burp, we can see that we are sending an auth parameter with value 0 whenever we request the flag:

/flag request

Change auth=0 to auth=1 to bypass authentication:

/flag request modified

The request goes through now and we are sent the flag:

Flag received

Flag: dctf{w3b_c4n_b3_fun_r1ght?}