devme corCTF Web challenge writeup

Hello guys back again with another tutorial this time am going to be showing you how i solved devme challenge from corCTF 2021. You are given a web page and performing manual enumeration reveals its running graphql under the hood. The graphql endpoint when passed an email address it creates a user with a sha256 hash. We later on find that we can then run three different queries

  1. Mutation query which basically allows us to add a user to the database
  2. the graphql also allows the user to query all users with their corresponding token from the data stored
  3. Lastly there is a flag query which if given the correct token (admin’s token) it will leak flag.

Without much say let’s jump in.

We have been given the following URL

https://devme.be.ax/

On opening we get a standard web page

The first enumerations that i usually run are

  1. A directory brute force using gobuster(you can use ffuf, ferobuster or even wfuzz depending on your liking)

2. A vulnerability scan using nikto

While they were running i decided to poke at the website and see what functionality it had

The web application allows a user to signup to get a free preview of a book

So i decided to signup using a fake email address and see if the form had any functionality the intercepted the request using burpsuite

Looking the screenshot of the intercepted request we see a couple of interesting information

The website has a graphql endpoint and its using mutation operations to create a user using the email address provided by the user. Mutations are GraphQL operations that can modify back-end data (unlike queries) in our case the operation is to adding a user to the backend system

The user created has a sha256 hash as the username

The next thing we could do is query the schema to see how much functionality we have. But am going to show a really awesome tool that does all the tedious work for you and show you the operation you are allowed to perform on the graphql API. The tool is called graphql-playground.

First download the appimage from GitHub and make it an executable and open it from your terminal.

Once the application has been opened. Click on the URL endpoint

Then input the graphql endpoint URL and click open

A new window will open where you can run your queries

Looking at the schema we can run 3 queries as i explained before

First i ran the user operation and queried the API for both username and tokens for each respective users

The query that i used was

query{users{username, token}}

Looking at the screenshot below i was able to dump all the usernames with their respective tokens

We are only interested on the admin’s token since it’s the one that will give us the flag

Next i ran the second query that is used to retrieve the flag. The query used was

query{flag(token:"3cd3a50e63b3cb0a69cfb7d9d4f0ebc1dc1b94143475535930fa3db6e687280b")}

And looking the screenshot below we are able to retrieve the flag

which is

corctf{ex_g00g13_3x_fac3b00k_t3ch_l3ad_as_a_s3rvice}

And that’s it for the challenge. This tutorial just touched the basics of graphql I’ve seen SQL Injections, command injections etc exploited from graphql take time and read it. But till the next time, It’s goodbye. If you liked the walkthrough don’t forget to clap for me down below and follow me so that you won’t miss any upcoming walkthrouhgs

--

--

--

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Static Website Hosting on AWS S3 with a custom Google Domain — Part 2

Shopify Shipping Tutorial — P

Higher Order Functions in Swift (Sorted, Map, Filter, Reduce)

Reduce Cost and Increase Productivity with Value Added IT Services from buzinessware — {link} -

Airgap/Disconnected Installation of OpenShift 4.2

Humio on Redhat OpenShift Container Platform

Type hinting, Easy coding (Add types info in your Python codes)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Musyoka Ian

Musyoka Ian

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

More from Medium

Splunk Phantom REST API Filters

Multi-Factor Authentication For Physical Access:- An IoT-Cyber Security project

Google Images best alternative — Naver Images API

Host your Discord Bot 24/7 (BEST Budget Server)