At the main page, we see that there is form which has two inputs: title and body. When the form is posted, title and body are encrypted and send to the "post" parameter in query. For example, https://-----.ctf.hacker101.com/?post=h7lx7F68Eh3TAMAN-dC0RJoUwS9SY.........JS7gg98L!P93QWjPaXiwC-g97evF9tu8dw!Q~~ .If we go to this link, server decrypts hash and displays as a plain text.
First thing i thought is adding random letter to hash. So, i got the first FLAG. And we also learn that block size is 16.
For second flag, i look to hint. it says "Don't think about this in terms of an attack against encryption; all you care about is XOR". So i was looking for something about padding. To solve padding and decrypt the hash ,we can use automating tool called PadBuster. Example use of PadBuster is given below:
We found that BlockSize is 16 and "-encoding 0" for base64 encoding.
After quiet time of running, we crack the hash and find the flag.
Note: I think, after found flag decryption is failed and rest of hash remain encrypted. It should also display title and body as flag.