We have now arrived at the last version of BugDB, version 3. At this post/stage, if you are reading it, you should have a bit of understanding how the queries worked, and explore the schema in the GraphiQL client browser.
Leggo!!!! BugDBv3!!!!
The given hint is “What new functionality was added?”. This brought me to look at the documentation in GraphiQL client browser. Under the object type ‘mutation’, there are 2 field type ‘attachFile’ and ‘modifyAttachement’.
This are the new functions being added to the client browser.
I queried the object type ‘allUsers’ to identify what are the results I will received.
And the result was…
It shows me that the subfield ‘attachments’ is blank, giving me the hint that I will have to do mutation in order to see the flag in ‘attachments’.
However once, I attach the file and query again, all I see was the unique filename.
Once I reach this point and I went see for more hints.
The hints are:
- What new functionality was added?
- Filenames are always interesting
- How do you access attachments? Hint: not via GraphQL
Based on the last hint, I figured out that ‘attachments’ can be a folder, so what I add ‘/attachments/’ in the URL. I got the error message ‘Not Found’, so I was thinking that since ‘attachments’ in just a folder, there should be files in it.
I tried pasting the filename in the URL but I still get an error message then I tried to input the id attached to the filename and it worked. I can conclude that the filename is bind to the ‘id’ in the field ‘attachFile’.
After that I was stuck here and I was totally clueless, due to my lack of knowledge and skills, I went to search online and found 2 useful resources that help me understand this CTF.
There are the 2 links:
- https://www.youtube.com/watch?v=-fFFCau88HE
- https://github.com/testerting/hacker101-ctf/tree/master/bugdb_v3/flag0
I really was stuck and I can’t move on, so the summary of the resources I found, that I can do a directory traversal and go to the filename called ‘main.py’
Based on the resources, I used the other mutation available which is ‘modifyAttachment’ to change the filename to “../main.py”.
I went to “/attachments/1” and it returns me a web page, I went to view source code and here are the line of codes.
Afterwards, I watched the youtube video and the guy in the discord chat said that not all the import files are python packages, some of them are source codes, and the one that stood out is ‘model’.
I went to modify the filename to “../model.py”
The result returns to me a page full of codes and I went to view source code..
In model.py it imports the db_session and here in the source code, in line 7 the ‘engine’ variable is bind to the db_session.
It shows ‘level18.db’, it means that we have to open up the level18.db where the flag is at.
I went to modify the filename to ‘../level18.db’ and reload the web page. And the flag is there.
DAMMM, I really struggle a lot but thanks to the resources, the youtube video and github, I was able to solve it. Really so thankful right now.
Alright that’s all folk.
Author: Derek
Bs&Derek 