Czechstreets 139 -
"flag":"czechstreets flag_really_email_html " The flag is clearly embedded in the JSON. A one‑liner to fetch and decode in one go:
<div id="result"></div> </body> </html> No obvious clues, but the form submits a GET request to /search?q=… . Running gobuster (or dirsearch ) against the host revealed a few hidden routes: czechstreets 139
<form method="GET" action="/search"> <input type="text" name="q" placeholder="Street name…" /> <input type="submit" value="Search" /> </form> No obvious clues
The challenge looks innocuous – a tiny web‑app that lets you query street names. The trick is that the back‑end leaks data via an undocumented API and the flag is encoded in the metadata of a particular street entry (street #139). 2.1 Browsing the site $ curl -s http://139.czechstreets.ctf Result (truncated): form method="GET" action="/search">