Czechstreets 139 - Free

The challenge looks innocuous – a tiny web‑app that lets you query street names. The trick is that the back‑end leaks data via an undocumented API and the flag is encoded in the metadata of a particular street entry (street #139). 2.1 Browsing the site $ curl -s http://139.czechstreets.ctf Result (truncated):

<!DOCTYPE html> <html> <head><title>Czech Streets – Find the hidden street</title></head> <body> <h1>Welcome to the Czech Streets challenge!</h1> <p>Enter a street name to see its details.</p> czechstreets 139

GET /api/streets?offset=138&limit=1000000 Running the request: The challenge looks innocuous – a tiny web‑app

/api/streets (200 OK – JSON endpoint) /static/js/app.js (200 OK) /admin (403 Forbidden) /robots.txt (200 OK – empty) Opening in the browser gave a nice JSON dump: Welcome to the Czech Streets challenge!&lt