Loose comparisons in PHP allow an attacker to bypass authentication.
Unfortunately, I do not have access to the original scoreboard or the web server so some of the details of the solution are reconstructed from memory.
On an incorrect username and password, the pertinent HTTP request and response is as follows.
The bug in the challenge is that the
login.php code makes the comparison
between the valid password using a loose comparison operator. If we set the
password field to
0, we can bypass the authentication.
Navigating to the
admin.php page with the logged in cookie gives us our flag.