First we see the text on the page: "You must specify a nick". After quick look into source code of the page we understand that our URL must contain GET-parameter 'nick' with random value.
Then server sends us some leet-modified string like
51xty tw0 plu5 0n3
and expecting from us solution of this expression in the same format.
Experimentally found that there is only 4 leet-modified characters: '1' == 'i', '3' == 'e', '5' == 's', '0' == 'o'.
There are can be various numbers and all 4 operations: plus, minus, times and divide by. So our solution has following steps:
- unleetify string to normal words (ex. "sixty two plus one");
- extract operation ("plus" -> "+");
- turn 2 strings to numbers (62 and 1);
- eval expression (62 + 1 = 63);
- turn number to words ("sixty three");
- leetify this string using same rules as server ("51xty thr33");
- send string to server and get response. If there is no flag in response go to step 1.
After some number of iterations server will send us a flag: Fl4g4Th3W1nl33tP0w4h.