Rating:

In Note, we can use arbitrary regular expressions.
However, in Note2, they banned the characters of {, }, (, ), +, and * in regular expressions.
We can still use . and ?, so we managed to do a blind regular expression injection attack.
The attack vectors are ^TSGCTF.A|^.?.?.?.?.?....., ^TSGCTF.B|^.?.?.?.?.?....., and so on.
Other details of Note2 are the same as that of Note, so see https://ctftime.org/writeup/22284.