I’m new to OTP and received a challenge.

Challenge

• Context: A server uses OTP to encrypt and decrypt authentication tokens.
• Misuse: The server always uses the same key.
• Objective: Forge a valid token for user "master".

API

• I can register unlimited users.
• Username: Between 8 and 32 alphanumeric characters.
• Password: At least 8 characters.
• Login: I get a token for every time log in.

The Token

• Encryption: plaintext ⊕ key = token.
• Misuse: The key will be the same for every token issued.
• The first 32 characters of the encrypted token contains the username.
• If username is shorter than 32, a fixed padding char will be used to fill.

I’ve tried

I’ve registered a new user

username: "usernametest",
password: "passwordtest"

And logged in two times

1st Token: F11D8C3559DACFF766C22A14E81DE3853F895947008EDDD53BC831CF5919C6F28CE938EDDFBC7914949C881FE1659E516B6DF43E267F537990791BBD4C2B528F42553E2577E5208BF815CCA3A9F290A453C46051E5A6

2nd Token: F11D8C3559DACFF766C22A14E81DE3853F895947008EDDD53BC831CF5919C6F28CE938EDDFBC7914948EAD47EE6E9245003B914F4727017BE75337B94836528F42553E2577E5208BF815CCA3A9F292A55BC26259EAAD

1. I know that "usernametest" appear in both messages.
2. I’ve encoded the word to a hex string: 757365726e616d6574657374.
3. 1st Token ⊕ 2nd Token: 1225580F0B0C146B56657161585202772A2C04041D000000000000000000000000000000000201080602080F0B
4. 1st Token ⊕ 2nd Token = ("usernametest" + fill + plaintext) ⊕ ("usernametest" + fill + plaintext).

Does it make sense? How should I proceed?

I’ve been stuck at this stage for more than a day. Can someone help me?

Reference:
Many Time Pad Attack – Crib Drag