# Let's be Transparent about this - Writeup This is a sponsor challenge, and visiting the site derp.randori.com, there is a form. However, when you view the source, all form submissions simply redirect to randori.com, which does not feel like part of the challenge. Also part of the source is a bogus flag, but nothing else of interest is to be seen. Maybe the flag is hidden in the DNS records? Nope, no luck. Next, inspecting the site a bit more, I checked the server certificate. Haha! Scrolling through, I see that the cert is also valid for derp-dev.randori.com! Finally, a lead! Visiting derp-dev.randori.com, and there is no response. Checking the DNS records, there are none! Maybe there is a wayback machine entry at archive.org? Nope. Then I realized it! It's a vhost! on the same IP! Firing up Burp, we can send a request with the Host: derp-dev.randori.com header.  And voila! We get the flag