HackTheBox - Getting an Invite

I recently stumbled on the snowscan.io blog and was absolutely blown away with the writeups. The exploits used varied so widely in attack vectors and ingenuity I became engrossed in the hakethebox community. After reading several blogs from the community’s top-ranked ‘players’, I decided to give it a go myself.

Casing the Joint

Upon loading https://www.hackthebox.eu/invite I was elated to see a message every tinkerer dreams of.

Feel free to hack your way in :)

At first, I wasted a lot of time checking the invite code validation. I assumed that they purposefully left holes in the validation process. This is almost always my first check on a website blocking me from some page or content, and in most cases, its implemented awfully (especially with email forms). Because they are encouraging people to break in though, I wasn’t sure how the would implement code validation. In most cases, it’s tied to a preexisting user with a referral code, that is added to a database of valid codes and referring users.

While trying to ascertain the invite code string length I realized I was barking up the wrong tree entirely.

A Scavenger Hunt NOT a Hack

In inspecting the page you’ll see a js file that reads

    /js/inviteapi.min.js

If you drop that url into your browser you get a min.js file that reads

    eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}',24,24,'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'),0,{}))

You would never want to have a function like makeInviteCode() available anywhere without at least logging in. Furthermore, this file has a bunch of junk in it which was immediately suspicious.

If you pop open your console and just ask for a makeInviteCode() you will get one of two encoded data strings as an output.

    "Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/vaivgr/trarengr"
or 
    "SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9TVCByZXF1ZXN0IHRvIC9hcGkvaW52aXRlL2dlbmVyYXRl"

These are encoded with a ROT13 cipher and a Base64 encoding perspectively. Both messages decode to

In order to generate the invite code, make a POST request to /api/invite/generate

From here it’s pretty obvious that we aren’t breaking in, just following a carefully laid trail of breadcrumbs. It’s important to note that this is not a request but a POST. The fastest way to do this is to pull up a terminal and use curl.

    curl -XPOST https://www.hackthebox.eu/api/invite/generate

Which should yield something like

    {"success":1,"data":{"code":"T0pDSkwtQlpSUUotUUpHRkUtVVFHRVItTFpHR0M=","format":"encoded"},"0":200}

From here we have a code in an encoded format. This looks similar to our makeInviteCode() because it’s encoded with Base64 also. Drop this into your decoder of choice and you’ll get a code that looks like this.

OJCJL-BZRQJ-QJGFE-UQGER-LZGGC

Welcome to hackthebox.io, you got yourself an invite.

Happy Hacking :)

Avatar
Justin Timperio
Researcher and Freelance Dev

Justin is a freelance developer and private researcher.