Port 8202 hosts a web application with a single login form. Trying to login with random credentials, we observed that it calls a GraphQL API to authenticate against the remote server.
With the following payload we can dump the database schema and take a look at it:{__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}
Investigating the response, we found an object called userCreate.
By crafting a new query, after modifying the original log-in payload, we ended up creating a new user called r1p with password 1234abcd.
The next step was to log in with said credentials and retrieve the flag.
