HackTheBox - Getting an Invite
I recently stumbled on the snowscan.io blog and was absolutely blown away with the writeups. The exploits used varied so widely in attack vectors and ingenuity I became engrossed in the hakethebox community. After reading several blogs from the community’s top-ranked ‘players’, I decided to give it a go myself.
Casing the Joint
Upon loading https://www.hackthebox.eu/invite I was elated to see a message every tinkerer dreams of.
Feel free to hack your way in :)
At first, I wasted a lot of time checking the invite code validation. I assumed that they purposefully left holes in the validation process. This is almost always my first check on a website blocking me from some page or content, and in most cases, its implemented awfully (especially with email forms). Because they are encouraging people to break in though, I wasn’t sure how the would implement code validation. In most cases, it’s tied to a preexisting user with a referral code, that is added to a database of valid codes and referring users.
While trying to ascertain the invite code string length I realized I was barking up the wrong tree entirely.
A Scavenger Hunt NOT a Hack
In inspecting the page you’ll see a js file that reads
/js/inviteapi.min.js
If you drop that url into your browser you get a min.js file that reads
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}',24,24,'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'),0,{}))
You would never want to have a function like makeInviteCode() available anywhere without at least logging in. Furthermore, this file has a bunch of junk in it which was immediately suspicious.
If you pop open your console and just ask for a makeInviteCode() you will get one of two encoded data strings as an output.
"Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/vaivgr/trarengr"
or
"SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9TVCByZXF1ZXN0IHRvIC9hcGkvaW52aXRlL2dlbmVyYXRl"
These are encoded with a ROT13 cipher and a Base64 encoding perspectively. Both messages decode to
In order to generate the invite code, make a POST request to /api/invite/generate
From here it’s pretty obvious that we aren’t breaking in, just following a carefully laid trail of breadcrumbs. It’s important to note that this is not a request but a POST. The fastest way to do this is to pull up a terminal and use curl.
curl -XPOST https://www.hackthebox.eu/api/invite/generate
Which should yield something like
{"success":1,"data":{"code":"T0pDSkwtQlpSUUotUUpHRkUtVVFHRVItTFpHR0M=","format":"encoded"},"0":200}
From here we have a code in an encoded format. This looks similar to our makeInviteCode() because it’s encoded with Base64 also. Drop this into your decoder of choice and you’ll get a code that looks like this.
OJCJL-BZRQJ-QJGFE-UQGER-LZGGC
Welcome to hackthebox.io, you got yourself an invite.
Happy Hacking :)