This was a website where you could click a button to request the flag. Intercepting the request with burp, we realize that an argument “auth” is sent along with the other parameters. Simply setting the value of “auth” to 1 grants us access to the flag.
Visiting the website:
Checking the box and clicking submit to request the flag, we get a “Not Authorized” message, as expected:
Intercepting the request with Burp, we can see that we are sending an auth parameter with value 0 whenever we request the flag:
Change auth=0 to auth=1 to bypass authentication:
The request goes through now and we are sent the flag: