The challenge looks innocuous – a tiny web‑app that lets you query street names. The trick is that the back‑end leaks data via an undocumented API and the flag is encoded in the metadata of a particular street entry (street #139). 2.1 Browsing the site $ curl -s http://139.czechstreets.ctf Result (truncated):
/api/streets (200 OK – JSON endpoint) /static/js/app.js (200 OK) /admin (403 Forbidden) /robots.txt (200 OK – empty) Opening in the browser gave a nice JSON dump: czechstreets 139
Event: CzechStreets CTF (2024) Category: Web / Information‑Disclosure / Minor Crypto Difficulty: ★★☆☆☆ (easy–medium) 1️⃣ Challenge Overview | Item | Description | |------|-------------| | Title | czechstreets – 139 | | Provided | A public URL: http://139.czechstreets.ctf (the “139” sub‑domain is part of the challenge name). The landing page shows a simple map of Prague with numbered streets and a tiny search box that says “Find the hidden street”. | | Goal | Retrieve the flag, which is hidden somewhere on the site. | | Flag format | czechstreets… | The challenge looks innocuous – a tiny web‑app
echo "eyJmbGFnIjoiY2hlY2hzdHJlZXRzeyBmbGFnX3JlYWxseV9lbWFpbF9odG1sIH0ifQ==" | base64 -d Gives: The landing page shows a simple map of
<div id="result"></div> </body> </html> No obvious clues, but the form submits a GET request to /search?q=… . Running gobuster (or dirsearch ) against the host revealed a few hidden routes: