Booru.allthefallen.more

https://booru.allthefallen.more/ The landing page displayed a list of thumbnails and a search box. No obvious “flag” was visible, but the title “more” hinted that there was “something more” hidden behind the interface.

curl -s "https://booru.allthefallen.more/more?token=boru_block_survive" The server responded with a 200 OK and an HTML page that listed a single hidden image: booru.allthefallen.more

/more The response was a 403 Forbidden page that displayed: https://booru

<!-- see /more for the rest --> Running a quick DirBuster/ffuf scan against the root with a small wordlist ( common.txt ) uncovered a hidden endpoint: Downloading a few of them with wget and

<!-- token is stored in the image EXIF --> All thumbnails were JPEG files served from /static/img/<hash>.jpg . Downloading a few of them with wget and inspecting the EXIF data ( exiftool ) revealed a custom tag:

[+] Token extracted: boru_block_survive [+] Flag: flagb0oru_4ll_th3_f4ll3n_m0r3 | Technique | Why it mattered | |-----------|-----------------| | Directory brute‑forcing (ffuf/DirBuster) | Discovered the hidden /more endpoint. | | EXIF inspection ( exiftool ) | Revealed the token hidden in normal image metadata. | | Base64 decoding | Turned the encoded token into a usable string. | | Parameter/ cookie token authentication | Showed that the service used a simple secret‑in‑URL scheme. | | Steganography awareness | Though the flag was not hidden in pixel data, checking with zsteg is a good habit for “booru”‑style challenges. |

BASE="https://booru.allthefallen.more"