In stage 3, we try to read another employee's profile by changing the employee id in this URL:

/attack?Screen=322&menu=200&stage=3&employee_id=105&action=ViewProfile

However, the application already allows a user to view a profile using the Search Staff feature, which will legally display a an employee's profile. So basically the user is asked to find a hack to access a feature that he can already access through the normal application's behavior :-)

Since the Search Staff feature is not needed at this stage, it might be worth disabling/removing it to avoid confusion.