# TL;DR
**Intended solution:** abuse the sleep in `/notes` to preserve the session while `/deleteme` deletes the user from the db (removing the user’s hash). Then, with the session kept from `/notes`, we have access to all the notes.

**Unintended solution:** using Turbo Intruder, race `/deleteme` and `/notes/flag` to delete our user’s hash while we have a valid session in `/notes/flag`, bypass `hasUserNoteAcess`, and get the flag.

Follow the link to see the full writeup.

Original writeup (https://sectt.github.io/writeups/Hacklu21/nodedb/README).