The first clue can be seen by viewing source or by highlighting all the text on the page.

The second can be seen by telneting to port 80 (no HTTP headers). By sending different headers the CGI script acts differently.

The third is hidden in favicon.ico after the image (hidden by modifying the content-length to ignore what follows the legitimate image)

The last is hidden inside the image and can be seen by editing the image, or by using imagemagic's identify -verbose or by various other means.

Concatinating the strings together and base64 decoding them provides the solution.