The TL;DR of this challenge was SQL injection and overriding javascript (to skip the encrypt/decrypt functions). Challenge Challenge Name: Blog from the future Challenge Description: My friend Bob likes sockets so much, he made his own blog to talk about them. Can you check it out and make sure that it’s secure like he assured me it is? Link Solution JS Overriding Rule #1 of web CTFs: ALWAYS check robots.txt first! This time I found: User-Agent: * Disallow: /admin And in /admin there is a comment saying you need to use TOTP (Time Based OTP. Who does not use a TOTP for 2-factor authentication in 2020?