Try a CSRF that posts a message in the multichat service. You can do this by running a web server with
python -mSimpleHTTPServer in your vulnerable host (recall to open port
8000 in the firewall). Whoever will visit your web page with the chat open in another tab should post a message without noticing. You can try yourself and when it works ask your teammates to test it.
Try a similar CSRF on the DCTF site. For example you can try to submit a FLAG in one of the challenges. The anti-CSRF Token will stop your attack.