I recently stumbled upon a very useful list of pentesting practice resources. Amongst them was Hackthebox. I have heard that name a couple of times recently and thought I’ll check it out. After reading a bit on their website I clicked the join button. Huh? Hack your way in? That certainly sounded interesting! I thought, “that will be easy for sure”. Oh boy, was I wrong. In this tutorial, I will show you how to get an Hackthebox Invite Code.

I have only a very little knowledge of Web Application Testing. I always neglected it a bit (until now). So to get an Hackthebox Invite Code actually turned out quite difficult for me, as I didn’t know Javascript or any Web Dev language really. What Hackthebox did for me by only trying to get an invite code was tremendous. It encouraged me to start learning Web Application Security. With that comes a lot of different things to learn like Programming languages, HTML, CSS, PHP and so on. Only their Invite process led me to a completely new and interesting path: Web Application Security.

But enough of that, that’s not what you’re here for.

READ THIS

No, really. Read this. I want to really encourage you to try this challenge by yourself. Make use of that thing sitting between your eyes. If you can’t solve a step on your own, don’t look up the solution immediately. Make a break, have a look at web app security basics. Look at it again tomorrow with a fresh mind.

I will write this tutorial in a fashion that gives you only Tips. You won’t find the solution here, I will just point you in the right direction. I feel like putting out the actual solution is defeating the purpose and it’s actually discouraged in the Hackthebox Ruleset, so I will follow.

If you are desperate for a solution, just go to another site, there are plenty providing it. If you really want to learn something, stick with me a little longer.

Step 1 / Tip 1 – Don’t Overthink

The first mistake I made was overthinking the process. I tried all kinds of different techniques that I know from my Information Gathering experience. That knowledge didn’t really include Web App Security, so I was struggling with how to get an Hackthebox invite code at first.

But as this is a Web Application, how high are the chances that you will find a hint hidden somewhere in the code on this simple invite page? You got that right, pretty damn high. If you use Firefox or Chrome for that matter and press F12, you will see a console popping up with all kinds of Web Development tools.

Doing this reveals the code on the invite page which looks like this:

I encourage you to go through all of the tabs and just get a feel for what you’re looking at here. Read the code a bit and maybe you recognize something that might be of interest. The Console Tab presents us with some solid advice:

Play with this a bit before heading to Step 2. Pay particular attention to the Inspector, Console, Debugger and Network tab.

Step 2 / Tip 2 – Dig Deeper

Now that you already have a direction set, maybe you already figured something out, looking at different tabs and the file names in the code. The Network tab logs action from the website. So, if you type anything in the invite code window and hit Sign Up, it will be shown there. I’d encourage you to have a short look at this.

If you have found any interesting looking file names in the code, you are on the right track.

Mini Spoiler 1 (No solution!) You should have a closer look at the Debugger Tab and more specifically a very interesting looking inviteapi.min.js

After you have that figured out I would encourage you to google what .min.js means in javascript files. Why is there a .min in front of the .js extension? Why does the code looks all scrambled? Research!

Mini Spoiler 2 (No solution!) .min means minified. The Javascript Code was minified to basically reduce web loading times. You find this a lot on modern Websites. You can use a website like https://beautifier.io/ to “unminify” code and reveal it’s real form.

Mini Spoiler 3 (No solution!) The un-minified Code looks like this: function verifyInviteCode(code) { var formData = { “code”: code }; $.ajax({ type: “POST”, dataType: “json”, data: formData, url: ‘/api/invite/verify’, success: function(response) { console.log(response) }, error: function(response) { console.log(response) } }) } function makeInviteCode() { $.ajax({ type: “POST”, dataType: “json”, url: ‘/api/invite/how/to/generate’, success: function(response) { console.log(response) }, error: function(response) { console.log(response) } }) }

Step 3 / Tip 3 – Looks like we got a trail!

Sherlock Holmes would be on fire right now.

If you made it this far on your own, great! You are on to something. Now I want you to figure out how to run java functions from your Chrome / Firefox Development console. Now to give a Tip on this without spoiling the solution will be a tough one. Really only look up the next spoiler if you are completely stuck and can’t figure out which code to run or how to run it within the console.

A hint is, you need to be on the Console Tab. Just start typing, something might pop up.

Mini Spoiler 4 (Hot Spoiler!) You want to run the makeInviteCode function in the Development Console. Learn how to run a function in the console yourself! Always keep parenthesis in mind!

Analyze the Code once you got this far. By now, if you have any prior pentesting experience, you should recognize which direction this is going.

Mini Spoiler 5 (No Solution!) There are two possible ways the encrypted key is presented to you. It’s either in BASE64 or in ROT13. Figure out how to decrypt this by yourself. It’s very easy.

Step 4 / Tip 4 – We are almost there

You are on the way to become a real hacker. After you have passed the challenge from Step 3, it’s time to look up the internet on how to make a POST request to a certain URL.

Put some effort in your search, it’s out there! Using Linux will help you to solve this step. Maybe hit up my Instagram Account and learn some Linux Basics!

Mini Spoiler 6 (No Solution!) There are probably other ways to solve this, maybe straight out of the console, but I personally have used my Linux knowledge. Making POST requests before, CURL came to mind. Read this: https://gist.github.com/subfuzion/08c5d85437d5d4f00e58 You’ll figure it out yourself. I believe in you.

You almost hold the Sword Excalibur in your hands. I mean, the invite code.

Step 5 / Tip 5 – How to get an Hackthebox invite code

If you have managed to solve Step 4, the solving of Step 5 should be an easy one for you! You are represented with another code. If you cheated your way through until here, shame on you apprentice Hacker! Where is your spirit?

Mini Spoiler 7 (No Solution!) Learn how to recognize Base64 encoded strings.

Conclusion

If you came that far, congratulations! You have earned yourself a medal. I mean, you learned how to get an Hackthebox invite code! For me personally, it was an awesome challenge and opened my eyes a bit. It also showed me where I’m lacking. I learned how to Brute Force Web Login Forms with Burpsuite. Yea, I tried that out of desperation. But at the same time, earned another valuable skill.

Those challenges are really made the way they are so that you practice your research skills, test and fail. And fail you will, often, all the time. Hacking is about failing. We constantly fail. But eventually, we pick up a new skill along the way that will help us in another scenario some day later.

Did you come on the solution yourself? Where did you get stuck? Let me know in the comments below!

Happy Hacking!

Please Share! Email

Facebook

Reddit

Twitter

Pinterest

More

LinkedIn

