On going to site there is link to see pages 2-10, there contents of ID 2 to 10 can be seen Checking the source code at /?source tells that there is a SQL injection. The injection is possible at $max. If we pass max as 1,10 OR 1 it will give us the contents of ID 1 which is FLAG in bas64