# Solution

The app determines which user you are from the `session_id` cookie, which is just your username Base64 encoded. Once you discover that, then you can replace your cookie value with "Admin" Base64 encoded and you can access the flag