Open the web page, it shows a button you can't click.
So we inspect the source code.
We find the code "disabled=''" , it gives the button that specific attribute.
So how can we change it?
Just delete that code and you will find you can eventually click the flag button.
And the flag shows up.
Catch the request HTTP Header to analyze it.
It posts the content 'auth=flag' to the server, so the another method is feigning the HTTP Header.
Don't forget to add the attribute 'Content-Type: application/x-www-form-urlencoded', you can't use POST method without it.