Taking a glance at the HTML, literally nothing sus, just some silly Cloudflare stuff, a rickroll vid at /rickroll.mp4.
Besides Cloudflare thingy and explicitly-loaded resources declared in the HTML, theres also favicon.ico.
Hex-dumping that file, we got wOF2, according to List of file signatures, its a WOFF2 file. A font disguised as a favicon, gg.
Now lets inspect this font first, decompressing it with woff2_decompress favicon.ico gives us favicon.ttf. Dump the font tables with ttx favicon.ttf.
Line 12807: it defines a ligature, Y followed by ou have been rick rolled by Mr. Ashley LMAO to glyph00040.
<LigatureSubst index="0">
<LigatureSet glyph="Y">
<Ligature components="o,u,space,h,a,v,e,space,b,e,e,n,space,r,i,c,k,space,r,o,l,l,e,d,space,b,y,space,M,r,period,space,A,s,h,l,e,y,space,L,M,A,O" glyph="glyph00040"/>
</LigatureSet>
</LigatureSubst>Line 12817: it substitutes glyph00040 with another sequence.
<MultipleSubst index="0">
<Substitution in="glyph00040" out="glyph00012,glyph00010,M,glyph00018,glyph00016,glyph00002,glyph00010,glyph00017,glyph00011,glyph00038,glyph00004,r,glyph00020,glyph00028,u,s,glyph00007,glyph00020,b,glyph00005,c,glyph00006,u,s,glyph00005,glyph00020,i,glyph00007,glyph00020,i,s,glyph00020,h,i,d,d,glyph00005,n,glyph00008,glyph00008,glyph00008,glyph00039"/>
</MultipleSubst>Now we got the key: You have been rick rolled by Mr. Ashley LMAO. Too lazy to do back substitution, I used imagemagick to render it to an image.
magick -font ./favicon.ttf label:'You have been rick rolled by Mr. Ashley LMAO' flag.pngflag.png renders HCMUS-CTF{0r_jus7_b3c4us3_i7_is_hidd3n???}.