HackTheBox is a great platform to sharpen your penetration skills, especially if you just started your first steps in this area.
After pressing on the link you will get this form:
But what is the invitation code? good question.
This is a small test to check that you have the curiosity and passion to be a penetration tester. You will need to find it yourself, as they wrote: “Feel free to hack your way in :)”.
Each participant will receive one of two challenges and we will cover both of them.
Before you are going to see the solutions, I recommend you to try to solve it by yourself as much as you can. Give it couple of days if needed, try to think where it can be with the tools you have.
Hacking the way in
The intuitive thing to do is to type some code like “123” and see the error:
Inspecting the box will show that there is a hidden value:
It looks like a code, great but when entering this code: 01tAnX4VFMfSd6q24be6sKPgPoSKKl5eJmk9Xqo8 to the “Invite Code” field, we will still have the same error.
It doesn’t readable too much but there seems to be some functions:
One interesting function is
After we run this function we received a base64 string which after decoding it (using
atob(..)) we received a hint what to do next:
In order to generate the invite code, make a POST request to /api/invite/generate
We will use a simple Ajax method to do it. We received the code in base64 and after decoding it we received the code itself:
After entering this code we will receive a congratulation message.
Like in challenge #1 we will run the
makeInviteCode() function but this time we will receive encoded text with ROT13:
We will use this website to decode it:
We will continue like we did in challenge #1:
In both challenge #1 and #2 we received the final code, after entering it we will get this message: