- }
- }
- }
- }
- }
- }
- }
- }
Event: All The Fallen CTF 2023 Category: Web / Steganography / Information Disclosure Difficulty: ★★☆☆☆ (Easy‑Medium) 1. Overview The challenge presents a small web‑application that mimics an image‑board (a “booru”). The public URL was:
<!-- see /more for the rest --> Running a quick DirBuster/ffuf scan against the root with a small wordlist ( common.txt ) uncovered a hidden endpoint:
zsteg hidden_flag.jpg No hidden data were found; the flag was solely stored in the EXIF comment, confirming the intended solution. #!/usr/bin/env bash set -euo pipefail
# 4️⃣ Pull the hidden image URL hidden=$(grep -oP '(?<=src=")/static/img/[^"]+\.jpg' more.html)
curl -s "https://booru.allthefallen.more/more?token=boru_block_survive" The server responded with a 200 OK and an HTML page that listed a single hidden image:
# 1️⃣ Grab a random thumbnail to extract the token thumb=$(curl -s "$BASE/" | grep -oP '(?<=src=")/static/img/[^"]+\.jpg' | head -n1)
Download
Event: All The Fallen CTF 2023 Category: Web / Steganography / Information Disclosure Difficulty: ★★☆☆☆ (Easy‑Medium) 1. Overview The challenge presents a small web‑application that mimics an image‑board (a “booru”). The public URL was:
<!-- see /more for the rest --> Running a quick DirBuster/ffuf scan against the root with a small wordlist ( common.txt ) uncovered a hidden endpoint:
zsteg hidden_flag.jpg No hidden data were found; the flag was solely stored in the EXIF comment, confirming the intended solution. #!/usr/bin/env bash set -euo pipefail
# 4️⃣ Pull the hidden image URL hidden=$(grep -oP '(?<=src=")/static/img/[^"]+\.jpg' more.html)
curl -s "https://booru.allthefallen.more/more?token=boru_block_survive" The server responded with a 200 OK and an HTML page that listed a single hidden image:
# 1️⃣ Grab a random thumbnail to extract the token thumb=$(curl -s "$BASE/" | grep -oP '(?<=src=")/static/img/[^"]+\.jpg' | head -n1)
Commercial Affairs
Commercial Affairs
Commercial Affairs
Commercial Affairs
