TL;DR: JA3 ratelimit bypass + a little guessing + MongoDB query injection

Original writeup (https://medium.com/@juwilie/yauzactf-2021-hackback-writeup-d5aae202a0d8).