boru_block_survive That string looked like a plausible token for the hidden endpoint. 3.1 Crafting the request The /more endpoint required the token to be supplied either as a query string ( ?token=… ) or as a cookie. Trying both:
UserComment : flagb0oru_4ll_th3_f4ll3n_m0r3 That was the flag! For completeness, I also tried a classic LSB steganography check on the image using zsteg : booru.allthefallen.more
BASE="https://booru.allthefallen.more"
curl -s "https://booru.allthefallen.more/more?token=boru_block_survive" The server responded with a 200 OK and an HTML page that listed a single hidden image: boru_block_survive That string looked like a plausible token
<img src="/static/img/hidden_flag.jpg" /> Downloading the image: img src="/static/img/hidden_flag.jpg" />
UserComment : token=Ym9ydV9ibG9ja19zdXJ2aXZl The value is Base64‑encoded. Decoding it gives: