Rating:
The server was vulnerable to SQL injection within the /api/list API endpoint, which allowed for the flag to be discovered. This was a fairly laborious process, as the SQL injection was after an ‘ORDER BY’ statement, which increased the complexity of exploiting it.
Using a Python script, we can automate the process to discover the name of the flag table and then the flag contents.