Two flags are available. To get the easy flag, identify the reverse proxy and use it to access an internal system. To get the second flag, bypass the access controls protecting app.listentothewhispers.net
You may find this helpful: https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work
The easiest way to get both flags is using Param Miner. If you'd prefer a more educational experience, try building and intepreting the timing probes yourself using the 'timing.py' script in Turbo Intruder.
Listen closely.