Difficulty: 500 points | 25 solves
Description: Wow you are doing great in this operation! Check Kara Jutsus Platform, I heard that it has a weird behavior and Dr Amado has hidden his flag in the User-Agent 👀 But the flag appears only when you report a link starting with http://184.108.40.206. That's Dr Amado Magic!!
This challenge was the 5th step of the CTF. From the challenge description, we know that we have to retrieve the flag which is stored in the User-Agent header of the bot. The challenge website has only one feature which allows to load images from a
User-Agent header is sent over each request made by the browser, loading a resource from a remote content will force the bot's browser to fetch the resource and gives us the flag.
Then, send the vulnerable URL to the bot: