Booru.allthefallen.more (100% Free)

Write‑up by YourName – 2023

Event: All The Fallen CTF 2023 Category: Web / Steganography / Information Disclosure Difficulty: ★★☆☆☆ (Easy‑Medium) 1. Overview The challenge presents a small web‑application that mimics an image‑board (a “booru”). The public URL was: booru.allthefallen.more

UserComment : flagb0oru_4ll_th3_f4ll3n_m0r3 That was the flag! For completeness, I also tried a classic LSB steganography check on the image using zsteg : Write‑up by YourName – 2023 Event: All The

curl -s -o hidden_flag.jpg "https://booru.allthefallen.more/static/img/hidden_flag.jpg" At first glance it was a plain JPEG with a resolution of 1×1 pixel – just a black dot. Running exiftool again gave: For completeness, I also tried a classic LSB

<img src="/static/img/hidden_flag.jpg" /> Downloading the image:

<!-- token is stored in the image EXIF --> All thumbnails were JPEG files served from /static/img/<hash>.jpg . Downloading a few of them with wget and inspecting the EXIF data ( exiftool ) revealed a custom tag: