This is a Blind NoSQL Injection attack.

1. Recognize the NoSQL Injection vulnerability using this payload: GET /api/posts?title[%24ne]=.
2. Develop an exploit that attempts to scan for the string “flag” in the post contents using the MongoDB $where operator: /api/posts?%24where=function(){return%20this.content.includes('flag')}.
3. The response returned for the above injection payload tells us that the flag contents have been redacted by the server. Develop a script that lets us enumerate the characters in the flag based on this response (see section titled Enumerating the Flag Alphabet).
4. Adapt the script from step 3 to leak the flag using the alphabet that we enumerated and the response of the server (see the section titled Disclosing the Flag).
5. Pr0f1t!

Original writeup (https://ajmalsiddiqui.me/blog/squarectf-2020-deep-web-blog/).