This is api challenge with no vulnerablity. May be the purpose of this challenge is to understand the code.

Challenge description--

Challenge url--

--Solution--

1# Create user using post request to "/api/user/new-token" by adding header "Authorization: 0nlyL33tHax0rsAll0w3d"('0nlyL33tHax0rsAll0w3d' is in config.py')

2# Post request to "/api/user/nothing-here" with "Authorization: (Your user token)". Your will See '{"detail": "requests were the same :rooFrozen:"}'

3# Add one random header(such as 'X-Forward-For: 127.0.0.1') and request again "/api/user/nothing-here"

4# If you see '{"detail": "i'm being hacked :rooNobooli: :banhammer:"}', that mean you get 100 points. You can check by going to "/api/user/points"

5# Repeat doing this(3#) until you get 1000 points.

6# When you get 1000 points, go to "/api/admin/flag" and enjoy your flag. :)

Flag: ictf{b3aT_tH3_g@Me_???}

Thank you for reading. :cowboy_hat_face: :cowboy_hat_face:

Original writeup (https://github.com/hmhlol/ctfs_writeups/tree/main/imaginary_ctf/Numhead).