Ottergram

Todays hint is Facebook made it. So if you know you know, but if you don't, Facebook made GraphQL.

This was my first ever GraphQL application. So solving this was a combination of pure dumb luck and a bit of feeling with how data works. But at this point in time I had no experience and did not really know what I was doing.

So I noticed the endpoint /graphql inside a request there was a JSON object with a query parameter.

I did what any sane person would do at this point and tried another ID.

At this point I got a bit cocky 🐓 and I just tried querying for the password of the user admin.

I could have anticipated that that would not work. But reading the error message I figured Analytics just didn't have the field password. So I tried changing it a bit up and queried user instead of analytics.

Another error message means we're making progress! When I read that error message, I realised that the argument id was required, but I was using userId. So I changed that to id.

And just like that, I solved my first ever GraphQL app and got the flag 🇧🇪