HTB Business CTF 2021 — NoteQL

Al Francis
2 min readJul 27, 2021

--

If you haven’t read yet the first challenge you can visit the link below

Challenge: NoteQL

Category: Web

The application is a note-taking application that uses GraphQL to save and fetch notes. I forgot to screenshots the main page of the challenge but our goal is to get the Hidden/Admin Notes.

I use Burpsuite to observe the GraphQL request and response.

Default query is:

{“query” : “{ MyNotes {id, title, completed}}”}

I tried to change the MyNotes to Notes (guess), but I found an interesting response. Notes do not exist, but the response suggests other Notes, such as Note, MyNotes, and AllNotes.

I change the query into AllNotes, then I found the flag at id:3, title: HTB{n0b0dy_c0ntr0ls_m3!!}

--

--

Al Francis
Al Francis

Written by Al Francis

Co-Founder of Kalasag and Project Access Granted Society. A Certified Ethical Hacker,EC-Council Certified Incident Handler and Certified Blockchain Developer.

No responses yet