MenuSearch
czechstreets 139czechstreets 139czechstreets 139
LatestProfile
English
Contact|About|
International Committee of the Fourth International (ICFI)
MenuSearch
International Committee of the Fourth International (ICFI)czechstreets 139czechstreets 139czechstreets 139
LatestProfile

Czechstreets 139 < 2024 >

The challenge looks innocuous – a tiny web‑app that lets you query street names. The trick is that the back‑end leaks data via an undocumented API and the flag is encoded in the metadata of a particular street entry (street #139). 2.1 Browsing the site $ curl -s http://139.czechstreets.ctf Result (truncated):

"flag":"czechstreets flag_really_email_html " The flag is clearly embedded in the JSON. A one‑liner to fetch and decode in one go: czechstreets 139

echo "eyJmbGFnIjoiY2hlY2hzdHJlZXRzeyBmbGFnX3JlYWxseV9lbWFpbF9odG1sIH0ifQ==" | base64 -d Gives: The challenge looks innocuous – a tiny web‑app

[ "id": 139, "name": "Smetanova", "slug": "smetanova", "metadata": "eyJmbGFnIjoiY2hlY2hzdHJlZXRzeyBmbGFnX3JlYWxseV9lbWFpbF9odG1sIH0ifQ==" ] The field metadata looks like Base64. Decoding it: czechstreets 139

Loading