# NoteQL

Challenge: NoteQL

Category: Web

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FPKThx1AAgCdhgDyYYq1E%2F6.png?alt=media&#x26;token=761eba10-a89c-4046-8e1c-2e5994277232" alt=""><figcaption></figcaption></figure>

The application is a note-taking application that uses GraphQL to save and fetch notes. I forgot to screenshots the main page of the challenge but our goal is to get the Hidden/Admin Notes.

I use Burpsuite to observe the GraphQL request and response.

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FQocXwymgLzbvJ8GbdOtj%2F7.png?alt=media&#x26;token=3a44ddc3-2d09-4455-95b1-8fe00479fa1d" alt=""><figcaption></figcaption></figure>

The default query is:

`{“query” : “{ MyNotes {id, title, completed}}”}`

I tried to change the MyNotes to Notes (guess), but I found an interesting response. Notes do not exist, but the response suggests other Notes, such as **Note, MyNotes, and AllNotes.**

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FOMvI9fBLQ1CBIq3JC3tl%2F8.png?alt=media&#x26;token=c35de356-2e07-42a9-b223-6e69caddfa1c" alt=""><figcaption></figcaption></figure>

I change the query into **AllNotes**, then I found the flag at **id:3, title: HTB{n0b0dy\_c0ntr0ls\_m3!!}**

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2F7TLIQjCBft21oCR9pWZg%2F9.png?alt=media&#x26;token=f6df224b-e565-4c41-8123-6bfa32cfcf9f" alt=""><figcaption></figcaption></figure>