You can inspect packets using tcpdump and find the domain covidfunds.net, OR you can step through the program in the debugger, notice the string Y292aWRmdW5kcy5uZXQ= getting base64 decoded, base64 decode it yourself and you will find it decodes to covidfunds.net

We can run a "chosen plaintext" attack on the server. It takes our input, then calculates encrypt(input + flag). Because ECB encrypts each block separately and simply concatenates them, we can brute force the flag byte by byte. A block is 16 bytes. Say if we gave the server 15 As, This means that the first block of the response is the ECB encryption of 15 As + the first byte of the flag. We'll call this block k1.

If we continuously send 15 As + and then compare the first block, then the byte in which the first block of the encryption is equal to k1 is the first byte of the flag.

If we send 14 As, the first block is the encryption of 14As plus the first two bytes of the flag. Given the first byte of the flag, we can run a similar brute force. This continues for the first block, the second block, and however many blocks there are until the flag finishes.

After looking up sqlite formats i made the payload

To get all table names and then

To get the settings of that table. the flag was 58

Blind sql

It gives 248b57c5cabbc9944d169d10bc4959a042d0bb81ab6cfc9166f40a9d0f0fd614 which is hash of "tigers"

Download /bart Run strings to get b64 string Decrypt Get flag