metarace Description Essentially the same as aart, but with a twist: this time to get the flag we need to login AND to perform a GET request to the index page. The complete exploit is in script.py.