Easy peasy tasks:
just set in the URL id=0x3120616e6420313d3220756e696f6e2073656c65637420666c61672066726f6d20466c6167206c696d697420302c31
so we bypass is_numeric() check and then in 2nd and 3rd query we can inject basically what we want as a normal injection.
digest access authentication method applied here. Just a bit of bruteforce for the password and then break it.
Just recover the key + some bruteforce on chars range (0x1-0xff) to break encryption algorithm without reversing it.
dotPeek decompiler do the job. just read the challenge binary and with some xor/mod stuff recover the flag with known "key":