The writeup isn't 100% accurate:
The bug that exists in the code is in line 8:
$hash = substr(`/home/ctf/vhash $filename`, 0, 256);
The vhash binary doesn't take a filename as input, it reads from STDIN - this is what was fixed in "VHash-Fixed". So, changing "guest" to "administrator" only worked because the vhash binary was only ever fed a null string - and the hash in the cookie was the value of a hash of no data.

An earlier check:
if(create_hmac($cookie) !== $hmac)
is what handles the actual authentication - the username doesn't matter until after the hmac check.

^ Sorry: referring to rawsec