tl;dr.
See robots.txt for hidden directory, authentication in javascript with Unicorn for emulating the shellcode. Reverse engineering the shellcode, for getting the username and password. Get the flag.

Original writeup (https://catousify.wordpress.com/2017/12/17/inctf-2017-secure-auth-writeup/).