curl -s "https://booru.allthefallen.more/more?token=boru_block_survive" The server responded with a 200 OK and an HTML page that listed a single hidden image:
Event: All The Fallen CTF 2023 Category: Web / Steganography / Information Disclosure Difficulty: ★★☆☆☆ (Easy‑Medium) 1. Overview The challenge presents a small web‑application that mimics an image‑board (a “booru”). The public URL was: booru.allthefallen.more
<!-- see /more for the rest --> Running a quick DirBuster/ffuf scan against the root with a small wordlist ( common.txt ) uncovered a hidden endpoint: curl -s "https://booru
BASE="https://booru.allthefallen.more"
The goal was to retrieve the flag, which was hidden somewhere in the service’s assets or responses. 2.1 Browsing the site The homepage ( / ) returned a simple HTML page that loaded JavaScript from /static/app.js and a handful of images from /static/img/ . The page source revealed a hidden comment: booru.allthefallen.more
# 3️⃣ Use the token to access the hidden page curl -s "$BASE/more?token=$token" > more.html