HTB Business CTF 2021 - NoteQL writeup

NoteQL was a challenge at the HTB Business CTF 2021 from the ‘Web’ category.
After spawning the container for this challenge we got an URL that lead to a simple note-taking app.

If we are taking a look at what the app is doing, we can see a series of graphQL queries being made in the background.
For example, this one of the requests seen in BurpSuite.

And this is its response.

This means that we could probably change the query and see other parts of the database.
First let’s try learning more about the database.

{ 
    "query": "{ __schema { queryType { name, fields { name, description } } } }" 
}

This is an introspection query; it gives you information about the queries supported by this GraphQL instance.
Introspection queries usually query the __schema field.
You can learn more about GraphQL introspection by going here and reading the official documentation.
Now let’s see the results for that query.

Before, the application was querying ‘MyNotes’. But we see that we also have ‘Note’, ‘NotesFrom’ and ‘AllNotes’.
Let’s start by getting the content of ‘AllNotes’ since that seems to be the most comprehensive.

{
    "query":"{
        AllNotes {
            id,
            title,
            completed
        }
    }"
}

After sending that query we get this response.

And the flag is easily readable in there.
I guess this was pretty easy.