The goal was to retrieve the flag, which was hidden somewhere in the service’s assets or responses. 2.1 Browsing the site The homepage ( / ) returned a simple HTML page that loaded JavaScript from /static/app.js and a handful of images from /static/img/ . The page source revealed a hidden comment:
# 3️⃣ Use the token to access the hidden page curl -s "$BASE/more?token=$token" > more.html booru.allthefallen.more
[+] Token extracted: boru_block_survive [+] Flag: flagb0oru_4ll_th3_f4ll3n_m0r3 | Technique | Why it mattered | |-----------|-----------------| | Directory brute‑forcing (ffuf/DirBuster) | Discovered the hidden /more endpoint. | | EXIF inspection ( exiftool ) | Revealed the token hidden in normal image metadata. | | Base64 decoding | Turned the encoded token into a usable string. | | Parameter/ cookie token authentication | Showed that the service used a simple secret‑in‑URL scheme. | | Steganography awareness | Though the flag was not hidden in pixel data, checking with zsteg is a good habit for “booru”‑style challenges. | The goal was to retrieve the flag, which
# 4️⃣ Pull the hidden image URL hidden=$(grep -oP '(?<=src=")/static/img/[^"]+\.jpg' more.html) | | EXIF inspection ( exiftool ) |
https://booru.allthefallen.more/ The landing page displayed a list of thumbnails and a search box. No obvious “flag” was visible, but the title “more” hinted that there was “something more” hidden behind the interface.
boru_block_survive That string looked like a plausible token for the hidden endpoint. 3.1 Crafting the request The /more endpoint required the token to be supplied either as a query string ( ?token=… ) or as a cookie. Trying both: