The server does not validate the limit value strictly – it accepts any integer up to 2^31‑1 . When a huge limit is supplied, the back‑end attempts to allocate a massive slice, which triggers a integer overflow in the internal pagination logic. The overflow causes the offset + limit check to wrap around, allowing the request to fetch any record by ID, even those beyond the normal pagination window.
Running gobuster (or dirsearch ) against the host revealed a few hidden routes:
In short: that lets us read arbitrary street objects, including the hidden one with id = 139 . czechstreets 139
curl -s "http://139.czechstreets.ctf/api/streets?offset=138&limit=1000000" \ | jq -r '.[0].metadata' \ | base64 -d \ | jq -r .flag
We want the object with id = 139 . The API returns records in order of id . By setting offset=138 and a huge limit we can retrieve the 139th entry: The server does not validate the limit value
Result (truncated):
| Issue | Fix | |-------|-----| | – The API accepts arbitrarily large integers, leading to integer overflow/pagination bypass. | Enforce a strict upper bound (e.g., limit ≤ 100 ) and validate that offset + limit never exceeds MAX_RECORDS . | | Direct exposure of internal IDs – The id field is guessable and directly maps to sensitive data. | Do not expose raw primary keys. Use opaque identifiers (UUIDs) or hash the IDs. | | Sensitive data in metadata – Flag stored in a field that is returned to anyone who can query the API. | Store secrets server‑side only; never return them in a public endpoint. | | Missing authentication – The API is completely public. | Require at least a session token or IP‑rate‑limit to make enumeration harder. | Running gobuster (or dirsearch ) against the host
| Activity | Description | |----------|-------------| | **Vinobraní (Wine tasting) at | A tiny, family‑run wine shop on Vinohradská 86 offering tastings of Moravian micro‑wines. | | Street Art Walk | Follow the colorful murals near the intersection of Vinohradská and Vinohradská Soutěž; the ever‑changing graffiti reflects the city’s youthful energy. | | Live Jazz at JazzDock (a short tram ride to the river) | After a stroll, unwind with an intimate set of Czech jazz musicians. | | **Sunday Market at Jindřišská | While technically off Vinohradská, it’s a 10‑minute walk away; browse fresh produce, Czech cheese, and handmade crafts. | | **Night‑time “Stargazing” at Šárka Park | The park’s hilltop offers one of the clearest views of Prague’s illuminated rooftops – perfect for a romantic evening. |
The challenge looks innocuous – a tiny web‑app that lets you query street names. The trick is that the back‑end leaks data via an undocumented API and the flag is encoded in the metadata of a particular street entry (street #139).
As you wander through the streets, you will come across narrow alleys that seem to disappear into the depths of the neighborhood. These hidden passageways are a secret world of their own, with tiny shops and cafes tucked away behind them. Whether you are looking for a unique souvenir or a quiet spot to enjoy a cup of coffee, is a treasure trove of hidden gems.
No obvious clues, but the form submits a GET request to /search?q=… .