Czechstreets 139 Better (Original)

[ "id": 139, "name": "Smetanova", "slug": "smetanova", "metadata": "eyJmbGFnIjoiY2hlY2hzdHJlZXRzeyBmbGFnX3JlYWxseV9lbWFpbF9odG1sIH0ifQ==" ] The field metadata looks like Base64. Decoding it:

<!DOCTYPE html> <html> <head><title>Czech Streets – Find the hidden street</title></head> <body> <h1>Welcome to the Czech Streets challenge!</h1> <p>Enter a street name to see its details.</p> czechstreets 139

echo "eyJmbGFnIjoiY2hlY2hzdHJlZXRzeyBmbGFnX3JlYWxseV9lbWFpbF9odG1sIH0ifQ==" | base64 -d Gives: Running gobuster (or dirsearch ) against the host

"flag":"czechstreets flag_really_email_html " The flag is clearly embedded in the JSON. A one‑liner to fetch and decode in one go: [ "id": 139

<div id="result"></div> </body> </html> No obvious clues, but the form submits a GET request to /search?q=… . Running gobuster (or dirsearch ) against the host revealed a few hidden routes:

[ "id":1, "name":"Hradčanské náměstí", "slug":"hradcanske-namesti", "id":2, "name":"Národní", "slug":"narodni", … ] Only the first 50 streets were returned (pagination). The id field is a simple integer that matches the street number on the map. The API supports the following query parameters (found by reading app.js ):