The challenge provided two files - server.py and admin.js, and a link to a web application that lets us enter a URL path that the bot will visit, which means this challenge is probably XSS or SSRF-related.
Let's dive into the source code and see where the flag is mentioned, so we can think about the next steps.
Unfortunately, I did not find any mentions of a flag, but we can see in 'server.py' that a secret value is read from 'secret.txt'.
Later in the code, we can see that this secret value needs to be set in the cookies for the '/api/cal' API endpoint. We can also see that it is probably possible to exploit a command injection vulnerability, using the 'modifier' parameter. It would look something like:
?modifier=;ls 
Maybe we can tell the bot to visit this API endpoint if the bot has the secret in its cookies, and somehow send us the command injection results.
Looking at the 'admin.js' file, we can see that the bot has the secret in its cookies, but we cannot tell it to visit any URLs that include 'cal' or '%'.
So we need to find another way to make the bot access the API endpoint vulnerable to the command injection.
We can add a high score in the system by sending 'username' and 'high_score' parameters and we will receive a UUID.
And this API endpoint returns the high score UUID data.
This is the main functionality of the web app. We need to retrieve the secret value to be able to exploit the command injection, or to make the bot access it.
We can try to inject a script as the 'username' parameter's value in the '/api/stats' endpoint and then, tell the bot to visit the UUID that contains the XSS payload.
Injecting a script in the 'username' parameter's value:
The script tells the bot to access '/api/cal/?modifier=;cat secret.txt' (the endpoint vulnerable to command injection), and to read the content of the 'secret.txt' file. Then it will create a new Image object with the source of our server, and appends the response of the '/api/cal' request a parameter's value.
An image object was used instead of XHR or fetch() requests to bypass the same-origin policy requirements which are not applied to images (I'm actually not sure why it blocked the requests in my initial attempts using fetch(), as they were GET requests without any special headers, but I didn't delve into this, and I just replaced it with an Image object).
This is how the bot probably see it:
Telling to bot to visit this UUID:
The bot request to our server which includes the contents of 'secret.txt' file:
Using the secret to find the flag file and read it:
Happy hacking,
Orel 🍊