Trapped Source

SOLUTION

Go to the website, we can see that it requires us to input pin code. Inspect the web, we know the correct pin is 9001. But we don’t have 0 button. Go to the script, we can see the data type is json and directory is /flag and web’s method POST Using BurpSuite to change something and we got the flag.