Insecure Direct Ticket Reference
Scanbook allows us to make notes, post them, and then retrieve them with a unique QR code.
Generated QR code works like intended - if we save it and then upload it on the main page, we get our note content. There is something interesting about the ticket name though:
1
https://scanbook.chall.pwnoh.io/static/codes/25612511.png
It looks like a ticket indentifier. And sure enough, if we decode it (with an online QR code decoder), we can see it stores the same number: 25612511. If we generate more tickets, the number in the name increases. Interesting, that means we can generate a QR code with any number we want and then just upload it to the server to get the message. Let’s try to go a few tickets back, to number 25612489: 
Well, that’s not my test message, someone else put it there. So let’s try to check the very first message anyone could post: ticket with ID of 0.
And there’s the flag!