from the challenge title and the line if (strcasecmp($password, $FLAG) == 0)
we can see that this is a case of type juggling or loose comparison
the function strcasecmp()
does case insensitive string comparison and returns 0 when the two strings are equal
we can get the function to return 0 if we pass one side of the comparison (the one we control) as an empty array
modify the password parameter in the POST request in burp from password=
to password[]=
and it spits out flag
flag{no_way!_i_took_the_flag_out_of_the_source_before_giving_it_to_you_how_is_this_possible}