Port 8202 hosts a web application with a single login form. Trying to login with random credentials, we observed that it calls a GraphQL API to authenticate against the remote server.


With the following payload we can dump the database schema and take a look at it:
{__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}

Investigating the response, we found an object called userCreate.

By crafting a new query, after modifying the original log-in payload, we ended up creating a new user called r1p with password 1234abcd.

The next step was to log in with said credentials and retrieve the flag.

https://rushisec.net/content/images/2020/12/queen_of_spades.png