HTB Business CTF 2021 — NoteQL
2 min readJul 27, 2021
If you haven’t read yet the first challenge you can visit the link below
Challenge: NoteQL
Category: Web
The application is a note-taking application that uses GraphQL to save and fetch notes. I forgot to screenshots the main page of the challenge but our goal is to get the Hidden/Admin Notes.
I use Burpsuite to observe the GraphQL request and response.
Default query is:
{“query” : “{ MyNotes {id, title, completed}}”}
I tried to change the MyNotes to Notes (guess), but I found an interesting response. Notes do not exist, but the response suggests other Notes, such as Note, MyNotes, and AllNotes.
I change the query into AllNotes, then I found the flag at id:3, title: HTB{n0b0dy_c0ntr0ls_m3!!}
