diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Challenge1.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Challenge1.java
new file mode 100644
index 000000000..2b2a4f1d4
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Challenge1.java
@@ -0,0 +1,56 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.io.IOException;
+
+import static org.owasp.webgoat.plugin.SolutionConstants.PASSWORD;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since August 11, 2016
+ */
+@AssignmentPath("/challenge/1")
+public class Challenge1 extends AssignmentEndpoint {
+
+    @RequestMapping(method = RequestMethod.POST)
+    public
+    @ResponseBody
+    AttackResult completed(@RequestParam String username, @RequestParam String password) throws IOException {
+        if (PASSWORD.equals(password)) {
+            return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
+        }
+        return failed().build();
+    }
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java
new file mode 100644
index 000000000..6ac1a0e62
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java
@@ -0,0 +1,52 @@
+package org.owasp.webgoat.plugin;
+
+import com.google.common.collect.Maps;
+import org.owasp.webgoat.assignments.Endpoint;
+import org.owasp.webgoat.session.UserTracker;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+import javax.annotation.PostConstruct;
+import java.util.Map;
+import java.util.UUID;
+import java.util.stream.IntStream;
+
+/**
+ * @author nbaars
+ * @since 3/23/17.
+ */
+public class Flag extends Endpoint {
+
+    public static final Map<Integer, String> FLAGS = Maps.newHashMap();
+    @Autowired
+    private UserTracker userTracker;
+    @Autowired
+    private WebSession webSession;
+
+    @PostConstruct
+    public void initFlags() {
+        IntStream.range(1, 4).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
+    }
+
+    @Override
+    public String getPath() {
+        return "challenge/flag";
+    }
+
+    @RequestMapping(method = RequestMethod.POST)
+    @ResponseStatus(HttpStatus.OK)
+    public void postFlag(@RequestParam String flag, @RequestParam int challengeNumber) {
+        String expectedFlag = FLAGS.get(challengeNumber);
+        if (expectedFlag.equals(flag)) {
+            userTracker.assignmentSolved(webSession.getCurrentLesson(), "Challenge" + challengeNumber);
+        } else {
+            userTracker.assignmentFailed(webSession.getCurrentLesson());
+        }
+    }
+
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
new file mode 100644
index 000000000..dda05d492
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
@@ -0,0 +1,13 @@
+package org.owasp.webgoat.plugin;
+
+/**
+ * Interface with constants so we can easily change the flags
+ *
+ * @author nbaars
+ * @since 3/23/17.
+ */
+public interface SolutionConstants {
+
+    String PASSWORD = "!!webgoat_admin_1234!!";
+
+}
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
index b5a072d9b..76398ed1a 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
@@ -33,10 +33,23 @@
                     </div>
                     <button class="btn btn-primary btn-block" type="submit" th:text="#{sign.in}">Sign in</button>
                 </form>
-                <div class="attack-feedback"></div>
-                <div class="attack-output"></div>
             </div>
         </div>
+
+        <form class="form-inline">
+            <div class="form-group">
+                <div class="input-group">
+                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" style="font-size:20px"></i></div>
+                    <input type="text" class="form-control" id="flagInput" placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
+                </div>
+            </div>
+            <button type="submit" class="btn btn-primary">Submit flag</button>
+        </form>
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+
     </div>
 </div>
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
index cbae74dcb..7a0256c24 100644
--- a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
@@ -1 +1,2 @@
 challenge.title=WebGoat Challenge
+challenge.solved=Congratulations, you solved the challenge. Here is your flag: {0}
diff --git a/webgoat-lessons/challenge/src/main/resources/images/webgoat2.png b/webgoat-lessons/challenge/src/main/resources/images/webgoat2.png
index c53a1f75b..394793d4b 100644
Binary files a/webgoat-lessons/challenge/src/main/resources/images/webgoat2.png and b/webgoat-lessons/challenge/src/main/resources/images/webgoat2.png differ