devme corCTF Web challenge writeup

Hello guys back again with another tutorial this time am going to be showing you how i solved devme challenge from corCTF 2021. You are given a web page and performing manual enumeration reveals its running graphql under the hood. The graphql endpoint when passed an email address it creates a user with a sha256 hash. We later on find that we can then run three different queries

  1. Mutation query which basically allows us to add a user to the database
  2. the graphql also allows the user to query all users with their corresponding token from the data stored
  3. Lastly there is a flag query which if given the correct token (admin’s token) it will leak flag.

Without much say let’s jump in.

We have been given the following URL

On opening we get a standard web page

The first enumerations that i usually run are

  1. A directory brute force using gobuster(you can use ffuf, ferobuster or even wfuzz depending on your liking)

2. A vulnerability scan using nikto

While they were running i decided to poke at the website and see what functionality it had

The web application allows a user to signup to get a free preview of a book

So i decided to signup using a fake email address and see if the form had any functionality the intercepted the request using burpsuite

Looking the screenshot of the intercepted request we see a couple of interesting information

The website has a graphql endpoint and its using mutation operations to create a user using the email address provided by the user. Mutations are GraphQL operations that can modify back-end data (unlike queries) in our case the operation is to adding a user to the backend system

The user created has a sha256 hash as the username

The next thing we could do is query the schema to see how much functionality we have. But am going to show a really awesome tool that does all the tedious work for you and show you the operation you are allowed to perform on the graphql API. The tool is called graphql-playground.

First download the appimage from GitHub and make it an executable and open it from your terminal.

Once the application has been opened. Click on the URL endpoint

Then input the graphql endpoint URL and click open

A new window will open where you can run your queries

Looking at the schema we can run 3 queries as i explained before

First i ran the user operation and queried the API for both username and tokens for each respective users

The query that i used was

query{users{username, token}}

Looking at the screenshot below i was able to dump all the usernames with their respective tokens

We are only interested on the admin’s token since it’s the one that will give us the flag

Next i ran the second query that is used to retrieve the flag. The query used was


And looking the screenshot below we are able to retrieve the flag

which is


And that’s it for the challenge. This tutorial just touched the basics of graphql I’ve seen SQL Injections, command injections etc exploited from graphql take time and read it. But till the next time, It’s goodbye. If you liked the walkthrough don’t forget to clap for me down below and follow me so that you won’t miss any upcoming walkthrouhgs



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store