Booru.allthefallen.more May 2026

[+] Token extracted: boru_block_survive [+] Flag: flagb0oru_4ll_th3_f4ll3n_m0r3 | Technique | Why it mattered | |-----------|-----------------| | Directory brute‑forcing (ffuf/DirBuster) | Discovered the hidden /more endpoint. | | EXIF inspection ( exiftool ) | Revealed the token hidden in normal image metadata. | | Base64 decoding | Turned the encoded token into a usable string. | | Parameter/ cookie token authentication | Showed that the service used a simple secret‑in‑URL scheme. | | Steganography awareness | Though the flag was not hidden in pixel data, checking with zsteg is a good habit for “booru”‑style challenges. |

Event: All The Fallen CTF 2023 Category: Web / Steganography / Information Disclosure Difficulty: ★★☆☆☆ (Easy‑Medium) 1. Overview The challenge presents a small web‑application that mimics an image‑board (a “booru”). The public URL was: booru.allthefallen.more

zsteg hidden_flag.jpg No hidden data were found; the flag was solely stored in the EXIF comment, confirming the intended solution. #!/usr/bin/env bash set -euo pipefail | | Parameter/ cookie token authentication | Showed

<!-- token is stored in the image EXIF --> All thumbnails were JPEG files served from /static/img/<hash>.jpg . Downloading a few of them with wget and inspecting the EXIF data ( exiftool ) revealed a custom tag: booru.allthefallen.more

Write‑up by YourName – 2023