In this challenge, we have code in python. As we read the file, we can see that before the web compare the parameter secret_key with os.urandom(24), the session is already set equal to the flag.
So, we only need to get the session of the page: https://d2a55b8b83bf981a.247ctf.com/flag
eyJmbGFnIjp7IiBiIjoiTWpRM1ExUkdlMlJoT0RBM09UVm1PR0UxWTJGaU1tVXdNemRrTnpNNE5UZ3dOMkk1WVRreGZRPT0ifX0.YEDySg.JxL0wjTpynKN91NMg4u75rjIX_YDecode this base64 string twice and we can get the flag.
ethan 