webmedium

Hydroadmin

hackthebox

Task: Fix a GraphQL batching vulnerability that allows PIN brute-force bypass of rate limiting. Solution: Use the online code editor API to read index.js, change allowBatchedHttpRequests from true to false in Apollo Server config, save the patched file, restart the server, and verify the fix to receive the flag.

$ ls tags/ techniques/

graphql api_exploitation batching_attack rate_limit_bypass code_editor patch_challenge

graphql_batchingpin_bruteforcefile_manipulationserver_restart

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]