Home HtB - CA2023 - Passman
Post
Cancel

HtB - CA2023 - Passman

Posted Apr 17, 2023 Updated Dec 12, 2023
By Hack Sparrow
1 min read

banner HackTheBox Cyber Apocalypse 2023

Pandora discovered the presence of a mole within the ministry. To proceed with caution, she must obtain the master control password for the ministry, which is stored in a password manager. Can you hack into the password manager?

source_code

Solution

Observing the source code we find a function in database.js to update users’ passwords that only takes two arguments, a username and password, updating that password without authentication; db-src-code

Exploring a little further in the source code and checking GraphqlHelper.js, we indeed see that the function only takes two arguments; graphql-src-code

So the first thing we do is intercept a response for a basic post to see the structure of the request; graphql-post-structure

Next, we’ll update the POST request with our target request (UpdatePassword) on our target user (admin); post-paylod

And we get our “Updated successfully” respons so we know it worked!

Now we can log in with our newly set credentials for admin and get our flag; flag

Flag HTB{1d0r5_4r3_s1mpl3_4nd_1mp4ctful!!}

hackthebox, Cyber Apocalypse 2023, Web
write-up web graphql authorization-bypass hackthebox ctf
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

HtB - CA2023 - Orbital

HtB - CA2023 - Didactic Octo Paddles

Comments powered by Disqus.