Open in app

Sign in

Write

Sign in

Hack The Box: How to get the invite code

Eviatar Gerzi
3 min readSep 4, 2019

--

HackTheBox is a great platform to sharpen your penetration skills, especially if you just started your first steps in this area.

After you enter to the website, you will choose one of two options: “INDIVIDUALS” or “COMPANIES & UNIVERSITIES”. Both will redirect you to a page that in the bottom have a link to join.

Invitation Link

After pressing on the link you will get this form:

But what is the invitation code? good question.

This is a small test to check that you have the curiosity and passion to be a penetration tester. You will need to find it yourself, as they wrote: “Feel free to hack your way in :)”.

Each participant will receive one of two challenges and we will cover both of them.

Before you are going to see the solutions, I recommend you to try to solve it by yourself as much as you can. Give it couple of days if needed, try to think where it can be with the tools you have.

Challenge #1

Hacking the way in

The intuitive thing to do is to type some code like “123” and see the error:

Nothing special..

Inspecting the box will show that there is a hidden value:

It looks like a code, great but when entering this code: 01tAnX4VFMfSd6q24be6sKPgPoSKKl5eJmk9Xqo8 to the “Invite Code” field, we will still have the same error.

Digging more

In the “sources” tab of the developer tools, we can see an interesting JavaScript file (“inviteapi.min.js”):

It doesn’t readable too much but there seems to be some functions:

One interesting function is makeInviteCode:

After we run this function we received a base64 string which after decoding it (using atob(..)) we received a hint what to do next:

In order to generate the invite code, make a POST request to /api/invite/generate

We will use a simple Ajax method to do it. We received the code in base64 and after decoding it we received the code itself:

After entering this code we will receive a congratulation message.

Challenge #2

Like in challenge #1 we will run the makeInviteCode() function but this time we will receive encoded text with ROT13:

We will use this website to decode it:

We will continue like we did in challenge #1:

In both challenge #1 and #2 we received the final code, after entering it we will get this message:

Hackthebox
Htb
Capture The Flag
Penetration Testing

--

--

Eviatar Gerzi
Eviatar Gerzi

Written by Eviatar Gerzi

89 Followers
23 Following

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams