tl;dr
- DOM Clobbering to redirect to attacker site
- Increasing Content using SQL Injection giving the same column multiple times
- Connection-Pool XS-Leaks to measure the time for the page to load
- Leak the flag character by character using above techniques