Task: Can you GET the flag from the API? http://167.99.8.90:9009/

A GET request to the url using Postman gives the following response:

{
"success": false,
"message": "Sorry ! You can't GET it :p"
}

So let's try a POST request. Response:

{
"success": false,
"message": "You should send me a url !"
}

No problem. I sent the url of the website itself in the POST body but I think anything would've worked. Request body:

{
    "url": "http://167.99.8.90:9009/"
}

Response:

{
"success": false,
"message": "Looking for flag ? Visit https://hackenproof.com/user/security"
}

So let's visit the site. The link is blocked because we need to make an account first. Let's create an account using a throwaway email, head to the link and at the bottom of the page we can find the key: