Czechstreets 139 May 2026

The challenge looks innocuous – a tiny web‑app that lets you query street names. The trick is that the back‑end leaks data via an undocumented API and the flag is encoded in the metadata of a particular street entry (street #139). 2.1 Browsing the site $ curl -s http://139.czechstreets.ctf Result (truncated):

In short: that lets us read arbitrary street objects, including the hidden one with id = 139 . 4️⃣ Exploiting the Bug 4.1 Crafting the request We want the object with id = 139 . The API returns records in order of id . By setting offset=138 and a huge limit we can retrieve the 139th entry: czechstreets 139

GET /api/streets?offset=138&limit=1000000 Running the request: The challenge looks innocuous – a tiny web‑app

<form method="GET" action="/search"> <input type="text" name="q" placeholder="Street name…" /> <input type="submit" value="Search" /> </form> 4️⃣ Exploiting the Bug 4