1. Inject the `api/list` endpoint with SQL injection in an ORDER BY clause to find the name of the table with the flag in it.
2. Inject the same endpoint, this time knowing the table name, to find the flag.

Original writeup (https://kblagoev.com/blog/emoji-voting-cyberapocalypse-2021-ctf/).