Hello friends! Welcome to my twisted CSRF labs! These are the CSRF labs with some of the sweetest cheese but you will have to for it.
Here are some ground rules:

00.php is supposed to be safe, please report all issues to info@thexssrat.com
You can always go to the file
These challenges will get progressively harder
You can always go back to The listing

CSRF 1

Easy

Goal: Forge a cross-site POST to this endpoint and make it return a flag.

Hints

There is no anti-CSRF token anywhere in the request.
You only need the same field names the normal form uses.
An auto-submitting HTML form is enough for this one.

Why This Works

The application accepts state-changing POST requests without checking for a per-session secret. Any external site can cause the victim browser to submit the same request with the victim session attached.