This post is a writeup of BugDB v1, a Hacker101 CTF web hacking challenge. The challenge is categorized as Easy, has one flag and a total of three hints is provided:
- What can you see? What can you not see?
- What data types are involved?
- Have you tried querying different endpoints?
Following the provided link leads directly to the main page.
For now, it is quite unclear where to look for the flag. However, as the application has not to many options available, we can start by just checking the functionality.
Just by random choice we start to enumerate the allBugs node.
Checking the documentation, reveals that the allBugs node has edges to the following nodes: id, reporterid, private and reporter.
By querying for them, we can see that the reporter node has edges to a bug node.
Again we extend our query by the edges available for the bug node: id, reporterid, text, private and reporter.
Even though, the relevant bug’s private value is set to true, the text value can be read by the query, revealing the flag. The final path to the flag is: allBugs->reporter->bugs->text
The interesting thing here is, why we can’t directly access bugs->text from allBugs. The answer is that bugs need to be distinguished in bugs and bugs_ (the version with text) allBugs has an edge to bugs, while the user node has an edge to bugs_. Therefore there are several paths leading to the flag. Below is an example from allUsers. The path is allUsers->bugs->text. user instead of allUsers would work the same.