When I saw this challenge , it seems to me like sqli in the login form . But I tried to look into the source code of the page then I notice a url to a youtube video , so I open it and watch the video but something weird was there
the video started playing from the 3rd second
So I restarted it from the first second and there was a character name and a dragon name witche are ***BILBO*** and ***SMAUG*** sequentially .
then I take the username { DUNGEON_MASTER } and password { baggins } which is the last name of the character BILBO in Burp Suite and looked like this .


And that was a good idea , They match :)
The input hash was a sha256 hash of the valied user and pass , so I tried to decrybt
it and gave me { smaug123 } which is the password. At the end I went to the login form and used these information ( DUNGEON_MASTER.smaug123 ) ,
to login and got the flag ;)


flag{somewhere_over_the_rainbow_tables} .

Team : ***%00Byte***