This post is a writeup of BugDB v3, a Hacker101 CTF web hacking challenge. The challenge is categorized as Moderate, has one flag and a total of three hints is provided:
- What new functionality was added?
- Filenames are always interesting
- How do you access attachments? Hint: not via GraphQL
Following the provided link leads directly to the main page.
There are two new mutations: attachFile and modifyFile.
We can see that now each bug node has an attachment. However, each attachment is empty in the beginning.
So we add an attachment file with the content test.
And verify that it is now included in the database.
We can see that the file name appears to be random. Cracking attempts with CrackStation did not work at this point. So next, we try to change the file name with the second mutation available.
And verify that it is working.
Than we try to access the attachment file outside of GraphQL. After a little try and error we identify that the path [ip]/[container]/[attachments]/[id] is working. We are able to access the content of the file by using its id.
This behaviour implies that there is a mapping of the id to the file name. Next, we try to include a local file on the system by pointing the file name to it.
And verify that we are able to include local files.
We are now able to read local files. Next we try to identify sensitive files. We can see that a module named model is imported and try to access it.
In this file, we can see that the database is stored in file called level18.db in the directory. The next step is trying to read the database.
This database file contains the flag.