tl;dr: SQL injection -> XSS -> Looking at RegExp.input to find text of last thing a regex was run on, which happens to be the password. See full write up for details.

Original writeup (https://blog.bawolff.net/2022/02/write-up-for-dicectf-2022-nocookies.html).