This post is a writeup of BugDB v2, a Hacker101 CTF web hacking challenge. The challenge is categorized as Easy, has one flag and a total of three hints is provided:
- What has changed since last version?
- What do the queries tell you?
- Have you tried a mutation?
Following the provided link leads directly to the main page.
Before starting the enumeration, we notice that mutations are now available as well. However, as we have a clear picture of what to looking for from the previous challenge, we decide to first check where the previous solution fails.
Querying the allBugs node is quite similar. The reporter edge still links to the users node. However, the users node now includes only id and username. Therefore, we cannot access the bugs->text node from here.
Additionally, we notice that the allBugs node now directly links to the text value (which was not the case in the previous challenge). The only reason why we cannot instantly receive the flag is that only results with private value set to false are returned. We don’t know that for sure right now, but in the previous challenge, this value was the difference between the two bugs stored in the database.
Using the mutation to change the private value seems like a reasonable approach from here. To use it, we need to know the id value of the private bug. It can’t be read directly from the database. However, investigating the available id from the public node (QnVnczox) reveals that is base64 encoded and the plain text is Bugs:1. Thus, id value 2 is a good guess for the id of the private bug.
After the private value is set to false, the flag can be directly received by querying the allBugs node and reading the text value.