Rating:

If we browse to a website, we are presented with the following form :

```html
<form action="button1.php" method="POST">
<input type="submit" value="PUSH ME! I am your only hope!"/>
</form>
```

Clicking the button takes us to a second page than has another button - this
time a link :

```html
Button2
```

If we click the second button, we are shown an error :

```html
<form action="button2.php" method="POST">
FORM DISABLED. THIS INCIDENT HAS BEEN LOGGED AND REPORTED TO /dev/null
</form>
```

Now the hint was to look at the difference between the two buttons.

1. The first button was form pointing to `button1.php` with a `POST` method
2. The second button was a link, meaning clicking it send a `GET` request
3. In the error page there is a form that points to `button2.php` with a `POST` method

This seems to indicate that we should try sending a `POST` requests to
`button2.php` (I used [Burp Suite](https://portswigger.net/burp)'s proxy and
repeater for tha). And indeed when we do, we are given the flag :
`picoCTF{button_button_whose_got_the_button_dfe8b73c}`.

Original writeup (http://blog.iodbh.net/picoctf2018-web-buttons.html).