The challenge has a web app running. On the cliend source code there is a
comment:  
```

```  
This seems a hint to check robots.txt:  
```  
User-agent: * Disallow: /source  
```  
When checking the /source we get a very long file that starts with the
following:  
```  
exec('%c'%((()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()==())+(()  
```  
This is just a piece of it, this is python, when changing the exec to print
and we run it, we get the following code:  
```  
_A='backend.js'  
from flask import Flask,send_file,request,redirect  
import os,json,subprocess  
app=Flask(__name__)  
@app.route('/')  
def index():return send_file('index.html')  
@app.route('/logo.svg')  
def logo():return send_file('logo.svg')  
@app.route('/robots.txt')  
def robots():return'User-agent: *\nDisallow: /source'  
@app.route('/source')  
def source():  
with open('app.py')as A:return A.read()  
@app.route('/source/js')  
def js_source():  
with open(_A)as A:return A.read()  
@app.route('/3ng1n33r1ng-s4mpl3',methods=['POST'])  
def flag():  
A={A[0]:A[1]for A in request.headers.items()};B=request.args.to_dict()  
print(subprocess.check_output(['node',_A,str(A),str(B),str(request.json)]).decode().strip())  
if
subprocess.check_output(['node',_A,str(A),str(B),str(request.json)]).decode().strip()=='Valid':return
os.environ.get('FLAG')  
return redirect('/')  
if __name__=='__main__':app.run()  
```  
It seems there is a /source/js, and it starts like this:  
```  
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]  
```  
This is again just part of it, it is jsfuck, I've pasted it into a file, it
ended with () so it was a function, I've surrounded it with
console.log([...].toString()) to get the function code and I got the
following:  
```  
d=JSON.parse(`{"header_key":
"[-]>[-]<++++++++[>++++++++++<-]>++++++++.<++++[>\----------<-]>\---.<++[>++++++++++<-]>++++.<++[>++++++++++<-]>++++++++.<+[>++++++++++<-]>+++++++.<[>\----------<-]>\------.<+[>++++++++++<-]>+++.<+++++++[>\----------<-]>\------.<++[>++++++++++<-]>.<+++[>++++++++++<-]>++++.<[>\----------<-]>.<[>++++++++++<-]>++.<+[>++++++++++<-]>++++.<[>\----------<-]>.<",
"header_value":
"[-]>[-]<++++++++++[>++++++++++<-]>+++++++.<[>\----------<-]>\--.<+[>++++++++++<-]>+.<+[>\----------<-]>\-------.<+[>++++++++++<-]>+++++++.<+[>\----------<-]>\----.<+++++[>\----------<-]>\-------.<+++++[>++++++++++<-]>++++.<[>++++++++++<-]>++.<+[>++++++++++<-]>+++.<[>++++++++++<-]>++.<+[>\----------<-]>-.<[>\----------<-]>\---.<[>++++++++++<-]>+++.<[>\----------<-]>\----.<[>\----------<-]>-.<+++++[>\----------<-]>\-----.<+++++++[>++++++++++<-]>+.<+[>\----------<-]>\-----.<+[>++++++++++<-]>++++.<[>++++++++++<-]>+.<+[>\----------<-]>\-----.<+[>++++++++++<-]>+++.<",
"query_key":
"[-]>[-]<++++++++++[>++++++++++<-]>+++++++.<[>\----------<-]>\------.<++[>++++++++++<-]>.<",
"query_value":
"[-]>[-]<+++++[>++++++++++<-]>+++.<[>\----------<-]>-.<[>++++++++++<-]>++.<[>++++++++++<-]>++.<[>\----------<-]>\--.<[>++++++++++<-]>+++.<[>\----------<-]>\--.<[>\----------<-]>\----.<[>\----------<-]>-.<[>\----------<-]>\--.<[>++++++++++<-]>++++++.<[>++++++++++<-]>+++.<[>\----------<-]>\--.<[>\----------<-]>\----.<[>\----------<-]>-.<[>\----------<-]>\--.<[>++++++++++<-]>++++++.<[>\----------<-]>\-----.<[>++++++++++<-]>+.<[>\----------<-]>\--.<[>++++++++++<-]>+++++++.<[>\----------<-]>-.<[>\----------<-]>.<[>\----------<-]>\-----.<[>++++++++++<-]>+++++.<++++[>++++++++++<-]>+++++.<++++[>\----------<-]>\-----.<[>++++++++++<-]>+++.<[>\----------<-]>\---.<[>\----------<-]>\--.<[>\----------<-]>\--.<[>\----------<-]>\--.<[>++++++++++<-]>++++++.<++++[>++++++++++<-]>++++.<++++[>\----------<-]>\----.<[>\----------<-]>-.<[>++++++++++<-]>++.<[>++++++++++<-]>++.<",
"body_key":
"[-]>[-]<+++++++++++[>++++++++++<-]>++++.<+[>\----------<-]>\---.<+[>++++++++++<-]>++++.<[>\----------<-]>\----.<[>++++++++++<-]>++++++.<[>\----------<-]>\---.<+[>\----------<-]>\-----.<[>++++++++++<-]>++.<",
"body_value":
"[-]>[-]<++++++++++[>++++++++++<-]>++.<[>++++++++++<-]>++++++.<+[>\----------<-]>-.<[>++++++++++<-]>++++++.<",
"cookie_key":
"[-]>[-]<+++++++++++[>++++++++++<-]>.<+[>\----------<-]>.<[>\----------<-]>\---.<",
"cookie_value":
"[-]>[-]<+++++++++++[>++++++++++<-]>++++++.<[>\----------<-]>\--.<[>++++++++++<-]>+++.<+[>\----------<-]>\------.<"}`);  
function interpret(e){  
let r="",a=new Array(420).fill(0),s=0,t=0,o="",i=!1;var c=[];  
braces={},e=e.replace(/[^<>+-.,\\[\\]]/,"");  
for(let
r=0;r<e.length;r++)"["===e[r]&&c.push(r),"]"===e[r]&&(start=c.pop(),braces[start]=r,braces[r]=start);  
for(;!i;){switch(e[s]){case">":t++;break;case"<":t--;break;case"-":a[t]--;break;case"+":a[t]++;break;case".":o+=String.fromCharCode(a[t]);break;case",":a[t]=r.charCodeAt(0),r=r.substring(1);break;case"[":0===a[t]&&(s=braces[s]);break;case"]":0!==a[t]&&(s=braces[s]);break;case
void 0:i=!0}s++}return o}

const headers=JSON.parse(process.argv[2].split("'").join('"')),  
args=JSON.parse(process.argv[3].split("'").join('"')),  
body=JSON.parse(process.argv[4].split("'").join('"'));  
headers[interpret(d.header_key)]===interpret(d.header_value)&&  
args[interpret(d.query_key)]===interpret(d.query_value)&&  
body[interpret(d.body_key)]===interpret(d.body_value)&&  
headers.Cookie.split("=")[0]===interpret(d.cookie_key)&&  
headers.Cookie.split("=")[1]===interpret(d.cookie_value)?console.log("Valid"):console.log("Fake");;  
```  
I've run this server code of both files on my local machine and printed what
was being compared and checked. The final request that got me the flag was the
following:  
```  
POST
/3ng1n33r1ng-s4mpl3?resource=flag&key=5468697320697320612076616c6964206b6579
HTTP/2  
Host: wtf-0.chals.kitctf.de  
X-Early-Access: kitctf-certified-tester  
Cookie: nda=true  
Content-Type: application/json  
[...]

{"resource":"flag"}  
```  
And the server answered with the following:  
```  
HTTP/2 200 OK  
Content-Type: text/html; charset=utf-8  
Date: Sat, 10 Jun 2023 21:30:45 GMT  
Server: Werkzeug/2.3.5 Python/3.10.12  
Content-Length: 28

GPNCTF{qSf1PSqRtUspio040GHg}  
```