I simulate iterative knowledge deduction between two players to find the minimum number of nights before one can declare the true total.
I exploit the gap between Express header handling and Node's body 'end' event to register a self-referring account and compound referrals into 100 billion coins.
I send number[]=1000000000 to trick Express's qs parser into producing an array that passes a length check and coerces to the target number.
I level up a dummy account by abusing the battle endpoint, then trilaterate the target's coordinates from three distance measurements to find their exact address.
I abuse a URL substitution flaw to reach an exposed dockerd TCP socket, then create a container with the host filesystem mounted to read the flag.
