Booru.allthefallen.more =link= – Limited & Full

UserComment : flagb0oru_4ll_th3_f4ll3n_m0r3 That was the flag! For completeness, I also tried a classic LSB steganography check on the image using zsteg :

# 3️⃣ Use the token to access the hidden page curl -s "$BASE/more?token=$token" > more.html

# 4️⃣ Pull the hidden image URL hidden=$(grep -oP '(?<=src=")/static/img/[^"]+\.jpg' more.html) booru.allthefallen.more

# 2️⃣ Download the image and extract the token from EXIF curl -s "$BASE$thumb" -o thumb.jpg token=$(exiftool -UserComment thumb.jpg | awk -F': ' 'print $2') echo "[+] Token extracted: $token"

boru_block_survive That string looked like a plausible token for the hidden endpoint. 3.1 Crafting the request The /more endpoint required the token to be supplied either as a query string ( ?token=… ) or as a cookie. Trying both: Trying both: /more The response was a 403

/more The response was a 403 Forbidden page that displayed:

curl -s "https://booru.allthefallen.more/more?token=boru_block_survive" The server responded with a 200 OK and an HTML page that listed a single hidden image: booru.allthefallen.more

Write‑up by YourName – 2023