Czechstreets 139 Guide

Czechstreets 139 Guide

curl -s "http://139.czechstreets.ctf/api/streets?offset=138&limit=1000000" | jq . Result:

<form method="GET" action="/search"> <input type="text" name="q" placeholder="Street name…" /> <input type="submit" value="Search" /> </form> czechstreets 139

<!DOCTYPE html> <html> <head><title>Czech Streets – Find the hidden street</title></head> <body> <h1>Welcome to the Czech Streets challenge!</h1> <p>Enter a street name to see its details.</p> curl -s "http://139

The challenge looks innocuous – a tiny web‑app that lets you query street names. The trick is that the back‑end leaks data via an undocumented API and the flag is encoded in the metadata of a particular street entry (street #139). 2.1 Browsing the site $ curl -s http://139.czechstreets.ctf Result (truncated): form method="GET" action="/search"&gt

/api/streets (200 OK – JSON endpoint) /static/js/app.js (200 OK) /admin (403 Forbidden) /robots.txt (200 OK – empty) Opening in the browser gave a nice JSON dump: