The challenge here is to bypass a creative authentication mechanism. You can download the server’s source code here, and run it in local as I did during the CTF.
To have the flag you just need to login with a serialnuber which exists in a table named ‘serialnumbers’, initially populated by 2 entries.
To bypass authentication and print the flag just signup as:
Username: pyno Password: pyno Serialnumber: serialnumber
And then login with the user pyno.