Czechstreets 139 -

"flag":"czechstreets flag_really_email_html " The flag is clearly embedded in the JSON. A one‑liner to fetch and decode in one go:

[ "id": 139, "name": "Smetanova", "slug": "smetanova", "metadata": "eyJmbGFnIjoiY2hlY2hzdHJlZXRzeyBmbGFnX3JlYWxseV9lbWFpbF9odG1sIH0ifQ==" ] The field metadata looks like Base64. Decoding it: czechstreets 139

curl -s "http://139.czechstreets.ctf/api/streets?offset=138&limit=1000000" | jq . Result: Result: Event: CzechStreets CTF (2024) Category: Web /

Event: CzechStreets CTF (2024) Category: Web / Information‑Disclosure / Minor Crypto Difficulty: ★★☆☆☆ (easy–medium) 1️⃣ Challenge Overview | Item | Description | |------|-------------| | Title | czechstreets – 139 | | Provided | A public URL: http://139.czechstreets.ctf (the “139” sub‑domain is part of the challenge name). The landing page shows a simple map of Prague with numbered streets and a tiny search box that says “Find the hidden street”. | | Goal | Retrieve the flag, which is hidden somewhere on the site. | | Flag format | czechstreets… | | | Flag format | czechstreets… | curl -s "http://139

curl -s "http://139.czechstreets.ctf/api/streets?offset=138&limit=1000000" \ | jq -r '.[0].metadata' \ | base64 -d \ | jq -r .flag Output:

GET /api/streets?offset=138&limit=1000000 Running the request: