HackTheBox INVITE CODE WRITEUP

Hey all and welcome back (for returning readers)! This is my second writeup. I did the challenge discussed in this post prior to the PwCTF, which allowed me to notice some amazing similarities between the two. I hope you’re able to spot them.

HackTheBox – https://www.hackthebox.eu/ is a site that has various labs/boxes/problems at different levels, which you can complete at your own pace. To create an account for HTB, you first need to find an invite code. I’ll be discussing in this post how you can achieve that. As for what I used to do this: Windows laptop and Firefox browser.

Let’s get straight into it! Firstly, if you scroll down the site of HTB, you can see there is a section that has a button called “Join HTB“. Clicking on that button greets you with this page:

Screen Shot 2018-02-02 at 7.54.14 pm

The phrase “Feel free to hack your way in :)” is an immediate indication that we have to do some work to get the code. The instant reaction is to look at the source code, which you can do by opening up the Web Developer option and clicking on Debugger (or Ctrl+Shift+S).

Looking at the main source code, we can see that there is a token value that appears:

HTB_OriginalToken

You can then try put that into the Invite Code field and click Sign Up. However, you can see then that this not the right value that you are looking for, and must continue your search for the correct invite code.

The next step would be to look at the other code files of the website. There is one file that stands out, which is the inviteapi.min.js file:

HTB_jsFiles

You can then take that code and paste it into a code beautifier, I used http://jsbeautifier.org/, to make it more readable. Upon doing this, you get the following:

HTB_OnlinejsBeautify

You can see that the second function gives us our hint. You now need to do generate a POST request to https://www.hackthebox.eu/api/invite/how/to/generate/. This can be done in various ways, but the method that I used was to download a Firefox extension called RESTClient. Once you have sent the request, your response should look a little something like this:

{"success":1,"data":{"data":"Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb \/ncv\/vaivgr\/trarengr","enctype":"ROT13"},"0":200}

Now, you must do a ROT13 (which is a cipher) conversion, this can be done online or using your preferred programming language. Once completed, you get the following message:

In order to generate the invite code, make a POST request to \/api\/invite\/generate

Use the above mentioned RESTClient to send your POST request to https://www.hackthebox.eu/api/invite/generate/. Upon submitting the request, your response should be similar to this:

{"success":1,"data":{"code":"UlZCUVItTUdQSlotSkxQTUktRkVZUUUtSkJGRFE=","format":"encoded"},"0":200}

Looking at the code provided, you can see that it is in a very familiar format. It’s the Base64 encoding mechanism. So you now know that you need to Base64 decode in order to get your code. The decoding can be done online on various websites, or you may choose to use your preferred programming language.

After decoding the code, your output should look like:

RVBQR-MGPJZ-JLPMI-FEYQE-JBFDQ

Now go ahead and put that into the Invite Code field, and you should be good to sign up!

I hope you enjoyed this writeup and it was valuable for you. If so, please feel free to leave feedback or click here to get in touch with me via alternative methods.

Thank you and happy hacking!

Leave a Reply