Password Changer 3000 — Insecure Token via Base64-Encoded Username
The password-reset token is simply the base64 encoding of the username. Encoding ‘admin’ and passing it as the token query parameter triggers the admin password change flow and reveals the flag.