because it is crawling web challenge do it manually by search in source
and javascript console and source of javascript(two defferent token) and all steps all apair of tokens
and and steps
"B218B51749AB9E4C669E4B33122C8AE3": (0, "A token in the HTML source code..."),
"66E7AEBA46293C88D484CDAB0E479268": (1, "A token in the JavaScript console..."),
"5D1F98BCEE51588F6A7500C4DAEF8AD6": (2, "A token in the stylesheet..."),
"29D3065EFED4A6F82F2116DA1784C265": (3, "A token in javascript code..."),
"9D34859CA6FC9BB8A57DB4F444CDAE83": (4, "A token in a header..."),
"BF1E1EAA5C8FDA6D9D0395B6EA075309": (5, "A token in a cookie..."),
"647E67B4A8F4AA28FAB602151F1707F2": (6, "A token where the robots are forbidden from visiting..."),
"3FB4C9545A6189DE5DE446D60F82B3AF": (7, "A token where Google is told what pages to visit and index..."),
"F1C20B637F1B78A1858A3E62B66C3799": (8, "A token received when making a DELETE request to this page..."),
"32BFBAEB91EFF980842D9FA19477A42E": (9, "A token in a TXT record at i-spy.chall.lac.tf..."),
"7227E8A26FC305B891065FE0A1D4B7D4": (10, "A Flag! lactf{1_sp0773d_z_t0k3ns_4v3rywh3r3}"),(flag on end of steps)
do upper tokens and get aytommatically this python code in this writeup:https://cybersecctf.github.io/blog/?q=web%20inspect
also get site full source in app.zip in this writeup