webfreemedium

Hydroadmin

hackthebox

Task: Fix a GraphQL batching vulnerability that allows PIN brute-force bypass of rate limiting. Solution: Use the online code editor API to read index.js, change allowBatchedHttpRequests from true to false in Apollo Server config, save the patched file, restart the server, and verify the fix to receive the flag.

$ ls tags/ techniques/

graphql api_exploitation batching_attack rate_limit_bypass code_editor patch_challenge

graphql_batchingpin_bruteforcefile_manipulationserver_restart

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Hydroadmin - HackTheBox Challenge

Description

"With reservoirs sealed and cities teetering on thirst, our heroes storm the HydroAdmin control room to reopen valves and restore the flow of water."

Target: 83.136.249.164:45091

Analysis

Initial Reconnaissance

Discovered an online code editor called "HTB Editor" at the target with the following API endpoints:

/api/directory - list files
/api/file?path=X - read file content
/api/create-file - create new file
/api/rename - rename files
/api/restart - restart the server
/api/verify - verify if vulnerability is patched

Source Code Analysis

Key files discovered:

index.js - Main server with Apollo GraphQL server configured with vulnerable batching:

const server = new ApolloServer({
  ...armor.protect(),
  introspection: false,
  typeDefs,
  allowBatchedHttpRequests: true,  // VULNERABLE!
  resolvers
});

models/ControlPin.js - PIN generation (4-digit, 1000-9999) and verification logic

schema/resolvers.js - GraphQL resolvers including PIN verification

exploit/solver.py - A script showing how to exploit GraphQL batching to brute-force PINs

The Vulnerability

The GraphQL server had allowBatchedHttpRequests: true which allows:

Sending multiple GraphQL queries in a single HTTP request
Bypassing rate limiting (10 requests per minute)
Brute-forcing all 9000 possible PINs (1000-9999) in just a few batch requests

The Twist

This challenge required PATCHING the vulnerability, not exploiting it! The /api/verify endpoint checked if the vulnerability was fixed.

Solution

Exploitation Steps

Rename original file: Backup the vulnerable index.js
Read backup: Get the original content
Patch content: Change allowBatchedHttpRequests: true to allowBatchedHttpRequests: false
Create patched file: Write the fixed version
Restart server: Apply changes
Get flag: Verify the patch

Exploit Script

#!/usr/bin/env python3
"""
Hydroadmin - GraphQL Batching Patch Challenge
HackTheBox Challenge
"""
import requests

BASE_URL = "http://83.136.249.164:45091"

...

$ grep --similar

Similar writeups

[web][free]AgriWeb— hackthebox
[web][free]Blueprint Heist— hackthebox
[web][Pro]Пин код— duckerz
[web][Pro]Lab 290 — PayLedger — GraphQL Broken Access Control— hackadvisor
[web][free]Phoenix Pipeline— hackthebox