Help needed Gpahql skill assessment [SOLVED]

positiveid · November 19, 2024, 11:01am

I am in skill assessment of graphql. I searched everything. I found admin apikey, id and username. I don’t know what to do. I am out of ideas

ertaku · November 20, 2024, 12:01pm

Me too. Can somebody lead us to answer? @positiveid

positiveid · November 22, 2024, 9:30am

I got it, try to find vulnerability from last name and use that vulnerability to find flag

SecTestAli · December 2, 2024, 5:18am

Hey man I’m stuck here since 2 days, down in the rabbit hole

playing around this one:

{
x(x: “admin api”, x: “*****man”) {
x
x
x
x
}
}

I know here’s something but unable to exploit it.

positiveid · December 2, 2024, 5:31am

No bro try to find sql injection vulnerability

SecTestAli · December 2, 2024, 9:47am

yeah lastname thing, but couldnt exploit, i know maybe I would be doing something dumb and silly or ignoring something

positiveid · December 2, 2024, 10:13am

Revisit to “injection” part of graphql module, it is very easy

SecTestAli · December 3, 2024, 2:37am

I revisited, practiced again, and got the flag, thanks man!

Topic		Replies	Views
noSQL injection Skills Assessment II Academy academy-help	43	2409	December 10, 2024
SQLMap Essentials - Skills Assesment - Final Flag Academy academy , htb-academy , academy-help	1	363	December 9, 2024
Academy sqlmap essentials Skill Assessement Off-topic academy	1	1284	May 2, 2022
HTB ACADEMY - Skills Assessment : SQL Injection Fundamentals Challenges sqli , sql-injection , academy , skills-assessment , injection	2	2086	April 23, 2021
Attacking Authentication Mechanisms Skills Assessment Academy academy	21	1039	February 15, 2025