I found the flag pretty easy but, sadly, out of 9 other people that solved it .. random.org did not like me that much :))
Here is a writeup for the challenge.
First thing, first was to test with a random email and password so I can catch errors and so on. The first error was about a wrong username so I took the emails present on the same page and tried them until I found the correct one, then started hydra to brute force it (well, I haven’t seen the hints so I tried it with another dictionary at first).
hydra -l email@example.com -P rockyou.txt 18.104.22.168 -s 5000 http-post-form “/:email=^USER^&password=^PASS^&submit=fdf:F=Wrong password!” -vV -t 32 -f
After getting access to the system, there was a hint in the text itself so I tried to see a point so I can increase the level from 0 to 10 to see what happens. There were no endpoints so … hmm .. looked in the cookies, found one that was looking like an md5 string so I used a “decrypt” website and it was “0” … LOL, all I had to do was to md5(“10”) then replace the cookie content and that was all 🙂