I don't think that replacing your REST APIs means that you don't need access controls. Can you read the admin's tasks from this minimal note taking application?
The title of this challenge pretty much tells us straight away that we're dealing with GraphQL.
Visiting the website:
I used a tool called
GraphQLmap to get a better understanding of the GraphQL we're dealing with.
┌─[s1gh@fsociety]─[~/Documents/HackTheBox/HTB-Business-CTF-2021/Web/NoteQL/GraphQLmap] └──╼ $ python3 graphqlmap.py -u http://126.96.36.199:32634/graphql _____ _ ____ _ / ____| | | / __ \| | | | __ _ __ __ _ _ __ | |__ | | | | | _ __ ___ __ _ _ __ | | |_ | '__/ _` | '_ \| '_ \| | | | | | '_ ` _ \ / _` | '_ \ | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) | \_____|_| \__,_| .__/|_| |_|\___\_\______|_| |_| |_|\__,_| .__/ | | | | |_| |_| Author: @pentest_swissky Version: 1.0 GraphQLmap > dump_new ============= [SCHEMA] =============== e.g: name[Type]: arg (Type!) Query AllNotes[Post]: Note: id (ID!), MyNotes[Post]: NotesFrom[Post]: author (String!), Post id: title: author: completed: Mutation createNote: title (String!), updateNote: id (ID!), title (String!), author (String!), completeNote: id (ID!), deleteNote: id (ID!), __Schema __Type __Field __InputValue __EnumValue __Directive GraphQLmap >
We see a query called
AllNotes - which is quite interesting.
After adding a note and clicking on the recently added note (and sending the request through Burp):
AllNotes in order the dump every note that's stored in this application.
And here we find the flag!