Our website uses cookies to enhance your browsing experience.
"flag":"czechstreets flag_really_email_html " The flag is clearly embedded in the JSON. A one‑liner to fetch and decode in one go:
<div id="result"></div> </body> </html> No obvious clues, but the form submits a GET request to /search?q=… . Running gobuster (or dirsearch ) against the host revealed a few hidden routes:
[ "id": 139, "name": "Smetanova", "slug": "smetanova", "metadata": "eyJmbGFnIjoiY2hlY2hzdHJlZXRzeyBmbGFnX3JlYWxseV9lbWFpbF9odG1sIH0ifQ==" ] The field metadata looks like Base64. Decoding it:
<form method="GET" action="/search"> <input type="text" name="q" placeholder="Street name…" /> <input type="submit" value="Search" /> </form>
/api/streets (200 OK – JSON endpoint) /static/js/app.js (200 OK) /admin (403 Forbidden) /robots.txt (200 OK – empty) Opening in the browser gave a nice JSON dump:
echo "eyJmbGFnIjoiY2hlY2hzdHJlZXRzeyBmbGFnX3JlYWxseV9lbWFpbF9odG1sIH0ifQ==" | base64 -d Gives:
"flag":"czechstreets flag_really_email_html " The flag is clearly embedded in the JSON. A one‑liner to fetch and decode in one go:
<div id="result"></div> </body> </html> No obvious clues, but the form submits a GET request to /search?q=… . Running gobuster (or dirsearch ) against the host revealed a few hidden routes: czechstreets 139
[ "id": 139, "name": "Smetanova", "slug": "smetanova", "metadata": "eyJmbGFnIjoiY2hlY2hzdHJlZXRzeyBmbGFnX3JlYWxseV9lbWFpbF9odG1sIH0ifQ==" ] The field metadata looks like Base64. Decoding it: No obvious clues
<form method="GET" action="/search"> <input type="text" name="q" placeholder="Street name…" /> <input type="submit" value="Search" /> </form> form method="GET" action="/search">
/api/streets (200 OK – JSON endpoint) /static/js/app.js (200 OK) /admin (403 Forbidden) /robots.txt (200 OK – empty) Opening in the browser gave a nice JSON dump:
echo "eyJmbGFnIjoiY2hlY2hzdHJlZXRzeyBmbGFnX3JlYWxseV9lbWFpbF9odG1sIH0ifQ==" | base64 -d Gives:
