A pretty funny challenge to begin with, to new players it may pose some obstacles, yet if you inspect the source code of the challenge carefully enough, it is just plain simple without any further explanation. However, spoiler alert, it can be simply solved without reviewing the source code as well, lol. Either way, scroll down and enjoy the write-up if you find it useful.

Enumeration

So the link is https://flaglang.chall.lac.tf/, time to access and see what it looks like…

OK now let’s check the source code and you will know that if you select an option in the left drop-down menu, it will send to the /switch?to=<country> route and the right one will send to /view?country=<country>. But after peaking and messing around with the source code for a while, I found these things that are suspicious…

So there is a country called Flagistan and its msg and password are <REDACTED>. At the moment, I have no idea what <REDACTED> means but I guess it will be replaced with something else once it’s in production, so those could be the flags.
But to grab the msg of any country, the only possible attack vector is through the /view?country=<country> route.

app.get('/view', (req, res) => {

  ...

  res.status(200).json({ msg: country.msg, iso: country.iso }); // <--- seems suspicious
});

Get The Flag

So I wonder, what if I simply select the Flagistan option of the second drop-down menu?

HHmmm… currently it has an embargo. So let me check the source code of which part contains the logic for that.

app.get('/view', (req, res) => {

	...

  const country = countryData[req.query.country];
  const userISO = req.signedCookies.iso;
  if (country.deny.includes(userISO)) {
    res.status(400).json({ err: `${req.query.country} has an embargo on your country` });
    return;
  }
  res.status(200).json({ msg: country.msg, iso: country.iso });
});

Oh so if the deny attribute of Flagistan includes the ISO code of whatever country on the left ( Lithuania currently ), it will return such a message. To bypass this, I simply tried to see if there was any country which isn’t on the list, and after messing for a while, I found out that all countries are not valid.
But if you look closely…

...
  const userISO = req.signedCookies.iso;
  if (country.deny.includes(userISO)) {
    res.status(400).json({ err: `${req.query.country} has an embargo on your country` });
    return;
  }
...

you will see that only when the request has a signed cookie which is set whenever the user switches to another country on the left, the result of req.signedCookies.iso will be defined. So what if I delete my own cookies ?

And after retrying…

And the flag is shown.