2020 Metasploit Community CTF – Queen of Spades (port 8202) [Web]

Port 8202 hosts a web application with a single login form. Trying to login with random credentials, we observed that it calls a GraphQL API to authenticate against the remote server.

With the following payload we can dump the database schema and take a look at it:
{__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}

Investigating the response, we found an object called userCreate.

By crafting a new query, after modifying the original log-in payload, we ended up creating a new user called r1p with password 1234abcd.

The next step was to log in with said credentials and retrieve the flag.