Looking inside the source,we are directed to
source.txt to look at the password comparison code.
The password is the flag itself! So we can’t be expected to guess it, we need to use the hint that there is a vulnerability in the code. After googling about php strcmp vulnerabilities we see that when comparing a string and an array, the result is always 0. So we need to set password to be an array in the URL.