Categories
Capture the Flag & Red Teaming

Walkthrough – Hacker101 – BugDB v3

This post is a writeup of BugDB v3, a Hacker101 CTF web hacking challenge. The challenge is categorized as Moderate, has one flag and a total of three hints is provided:

  1. What new functionality was added?
  2. Filenames are always interesting
  3. How do you access attachments? Hint: not via GraphQL

Following the provided link leads directly to the main page.

There are two new mutations: attachFile and modifyFile.

Flag 0

We can see that now each bug node has an attachment. However, each attachment is empty in the beginning.

So we add an attachment file with the content test.

And verify that it is now included in the database.

We can see that the file name appears to be random. Cracking attempts with CrackStation did not work at this point. So next, we try to change the file name with the second mutation available.

And verify that it is working.

Than we try to access the attachment file outside of GraphQL. After a little try and error we identify that the path [ip]/[container]/[attachments]/[id] is working. We are able to access the content of the file by using its id.

This behaviour implies that there is a mapping of the id to the file name. Next, we try to include a local file on the system by pointing the file name to it.

And verify that we are able to include local files.

We are now able to read local files. Next we try to identify sensitive files. We can see that a module named model is imported and try to access it.

In this file, we can see that the database is stored in file called level18.db in the directory. The next step is trying to read the database.

This database file contains the flag.

Categories
Capture the Flag & Red Teaming

Walkthrough – Hacker101 – BugDB v2

This post is a writeup of BugDB v2, a Hacker101 CTF web hacking challenge. The challenge is categorized as Easy, has one flag and a total of three hints is provided:

  1. What has changed since last version?
  2. What do the queries tell you?
  3. Have you tried a mutation?

Following the provided link leads directly to the main page.

Flag 0

Before starting the enumeration, we notice that mutations are now available as well. However, as we have a clear picture of what to looking for from the previous challenge, we decide to first check where the previous solution fails.

Querying the allBugs node is quite similar. The reporter edge still links to the users node. However, the users node now includes only id and username. Therefore, we cannot access the bugs->text node from here.

Additionally, we notice that the allBugs node now directly links to the text value (which was not the case in the previous challenge). The only reason why we cannot instantly receive the flag is that only results with private value set to false are returned. We don’t know that for sure right now, but in the previous challenge, this value was the difference between the two bugs stored in the database.

Using the mutation to change the private value seems like a reasonable approach from here. To use it, we need to know the id value of the private bug. It can’t be read directly from the database. However, investigating the available id from the public node (QnVnczox) reveals that is base64 encoded and the plain text is Bugs:1. Thus, id value 2 is a good guess for the id of the private bug.

After the private value is set to false, the flag can be directly received by querying the allBugs node and reading the text value.

Categories
Capture the Flag & Red Teaming

Walkthrough – Hacker101 – BugDB v1

This post is a writeup of BugDB v1, a Hacker101 CTF web hacking challenge. The challenge is categorized as Easy, has one flag and a total of three hints is provided:

  1. What can you see? What can you not see?
  2. What data types are involved?
  3. Have you tried querying different endpoints?

Following the provided link leads directly to the main page.

For now, it is quite unclear where to look for the flag. However, as the application has not to many options available, we can start by just checking the functionality.

Flag 0

Just by random choice we start to enumerate the allBugs node.

Checking the documentation, reveals that the allBugs node has edges to the following nodes: id, reporterid, private and reporter.

By querying for them, we can see that the reporter node has edges to a bug node.

Again we extend our query by the edges available for the bug node: id, reporterid, text, private and reporter.

Even though, the relevant bug’s private value is set to true, the text value can be read by the query, revealing the flag. The final path to the flag is: allBugs->reporter->bugs->text

The interesting thing here is, why we can’t directly access bugs->text from allBugs. The answer is that bugs need to be distinguished in bugs and bugs_ (the version with text) allBugs has an edge to bugs, while the user node has an edge to bugs_. Therefore there are several paths leading to the flag. Below is an example from allUsers. The path is allUsers->bugs->text. user instead of allUsers would work the same.