Rating:

Task:
Can you GET the flag from the API?
http://167.99.8.90:9009/

A GET request to the url using Postman gives the following response:
```
{
"success": false,
"message": "Sorry ! You can't GET it :p"
}
```

So let's try a POST request. Response:
```
{
"success": false,
"message": "You should send me a url !"
}
```

No problem. I sent the url of the website itself in the POST body but I think anything would've worked.
Request body:
```
{
"url": "http://167.99.8.90:9009/"
}
```
Response:
```
{
"success": false,
"message": "Looking for flag ? Visit https://hackenproof.com/user/security"
}
```

So let's visit the site. The link is blocked because we need to make an account first. Let's create an account using a throwaway email, head to the link and at the bottom of the page we can find the key:
![](https://i.ibb.co/F7hjjGj/Selection-024.png)