Start by loading the web app from https://challenge-0423.intigriti.io/ Some fuzzing shows us some interesting files which will be useful later.  Of course flag.txt is not readable yet! $ ffuf -u https://challenge-0423.intigriti.io/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e .txt,.php -fc