Hi all, hope you have a nice day at work. Today I will be doing on GraphiQL CTF.
This CTF requires a bit of knowledge on GraphiQL though I do not have any idea on GraphiQL, I went to search up and understand that the query format is in Json format. So, I was lazy to go learn the rest of the query and with that I went straight into doing it.
At the GraphiQL, it has a input box that allows us to write lines of code into it to query for results. Since it is in Json format, I started out with the curly brackets “{}“.
At first, I don’t know what I am going to query for, so I just pressed a random characters and I found out that the GraphiQL client interfaces helps to suggest what to query for.
I was like hmmm, since the client interface helps to list down the data types to query, let’s see what queries I can find. So by looking at the list of object type to query, I choose the object type “allUsers”, why? Because I just want to find out the users in the database, isn’t that the obvious point ahahhahaha
The “allUsers” type have fields in it, and with the help of suggested fields listed by the client interfaces, I was able to code out my query. I just keep on finding the available fields that I can input it by tabbing all the way ahahahha
So, here is my graphiQL query structure.
The server response the query, and return the result and I was able to find the flag at the “text” field, under the username called “victim”
Alright that’s all folks for this CTF, if you asked me whether I still understand graphiQL beside the json format, I would say ‘No’. But because the client interfaces helps to list down the suggest object type and fields to query for, I was able to structure my query.
Thanks for reading and feel free to comment down.
Author: Derek
Bs&Derek 