$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Fix a GraphQL batching vulnerability that allows PIN brute-force bypass of rate limiting. Solution: Use the online code editor API to read index.js, change allowBatchedHttpRequests from true to false in Apollo Server config, save the patched file, restart the server, and verify the fix to receive the flag.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
"With reservoirs sealed and cities teetering on thirst, our heroes storm the HydroAdmin control room to reopen valves and restore the flow of water."
Target: 83.136.249.164:45091
Discovered an online code editor called "HTB Editor" at the target with the following API endpoints:
/api/directory - list files/api/file?path=X - read file content/api/create-file - create new file/api/rename - rename files/api/restart - restart the server/api/verify - verify if vulnerability is patchedKey files discovered:
index.js - Main server with Apollo GraphQL server configured with vulnerable batching:
const server = new ApolloServer({ ...armor.protect(), introspection: false, typeDefs, allowBatchedHttpRequests: true, // VULNERABLE! resolvers });
models/ControlPin.js - PIN generation (4-digit, 1000-9999) and verification logic
schema/resolvers.js - GraphQL resolvers including PIN verification
exploit/solver.py - A script showing how to exploit GraphQL batching to brute-force PINs
The GraphQL server had allowBatchedHttpRequests: true which allows:
This challenge required PATCHING the vulnerability, not exploiting it!
The /api/verify endpoint checked if the vulnerability was fixed.
allowBatchedHttpRequests: true to allowBatchedHttpRequests: false#!/usr/bin/env python3 """ Hydroadmin - GraphQL Batching Patch Challenge HackTheBox Challenge """ import requests BASE_URL = "http://83.136.249.164:45091" ...
$ grep --similar