Flag0 – Found
- Regular users can only see public pages
- Getting admin access might require a more perfect union
- Knowing the password is cool, but there are other approaches that might be easier
Flag1 – Found
- What actions could you perform as a regular user on the last level, which you can’t now?
- Just because request fails with one method doesn’t mean it will fail with a different method
- Different requests often have different required authorization
Flag2 – Found
- Credentials are secret, flags are secret. Coincidence?