routarded starts you out with a hint in the challenge description that the target webpage is a router with default credentials. After trying a bunch of default router combinations, @jonathansinger found a working combination of <blank>:admin. This pops you into the management site of this fake router, which has a promising diagnostics page.
Looks like there’s a file called flag. Let’s try to read it out by submitting 127.0.0.1 & cat flag and fixing it with Burp.The flag is l0l, I can’t believe they still do this shit.
Additional credit for solving this challenge goes to @jonathansinger.