This challenge is a simple chat app written in NodeJS. When anybody says `/report` in the chat room, the admin joins for a while and bans anybody who says `dog`. The flag is the admin's secret, which is stored as a cookie on the admin's browser. To solve the challenge, we get ourselves banned, then use a bug in the code to trick the server into thinking the admin's ban command also sets the admin's secret, then trick the admin's browser to thinking it changed its secret without actually changing it and put it into the DOM, and finally use a CSS injection in the banning code to exfiltrate the password via messages in the same chat room. Read the details here: https://blog.vero.site/post/cat-chat