TL;DR: The site is vulnerable to NoSQL injection. This leads to being able to bruteforce the flag contents.

The full writeup has detailed explanations and images: [link](https://github.com/ryan-cd/ctf/tree/master/2020/square-ctf)

Original writeup (https://github.com/ryan-cd/ctf/tree/master/2020/square-ctf).