Author: @axi0mX

Information given: "Watch your heads!"

Assuming it was related to an HTTP HEAD request, I ran the following command:

$ curl --head https://asis-ctf.ir/challenges/
HTTP/1.1 302 Found
Server: nginx
Date: Mon, 12 Sep 2016 02:05:42 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Language, Cookie
X-Frame-Options: SAMEORIGIN
Content-Language: fa
Location: /accounts/login/?next=/challenges/
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload;
CTF-Level: Final 2016
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Flag: QVNJU3szMWE0ODM5MDBiODU3NjQyNmNjY2RmNTU0MDJiOWRkNn0K; base64

Decoding base64 gets us the flag:

$ echo QVNJU3szMWE0ODM5MDBiODU3NjQyNmNjY2RmNTU0MDJiOWRkNn0K | base64 --decode
ASIS{31a483900b8576426cccdf55402b9dd6}