One day I spied out my friend accessing some google form to enter his secret combination lock. Afterwards, I kept bothering him about it, and he finally decided to give the link to me. Maybe you can figure out his combo for me and get a tasty flag in return: link We’re given a google form that’s doing all checking entirely on the client side. Inspecting the source code quickly show us the interesting data used to drive the form interactions: FB_PUBLIC_LOAD_DATA_.
This challenge seemed simple (it was also tagged easy, but not many teams solved it): You have a “game” server you connect to and can move your character around. The game server then tells you whether you fell into a pit, smelled a flag character, were next to a pit or if you “caught” a flag character. All of the source code was available to download, including a docker file for launching your own instance.