TL;DR: The site is vulnerable to NoSQL injection. This leads to being able to bruteforce the flag contents.

The full writeup has detailed explanations and images: [link](https://github.com/ryan-cd/ctf/tree/master/square-ctf-2020)

Original writeup (https://github.com/ryan-cd/ctf/tree/master/square-ctf-2020).