### Description:
> Affekot
>
> 50
>
>
> I really want to buy the flag, but it's out of stock!
>
> I heard that the admin took the last one...

### Solution:
Some of the web application's URL paths were disclosed in the script files (I used JS Link Finder burp suite extension) and were publicly accessible (/dev/signup and /dev/signin). Using these, we could register and log in as an admin user and read the flag, which existed in the 'orders' API endpoint.

Original writeup (https://www.thesecuritywind.com/post/small-winds-no-03#viewer-8apex36146).