Hack The Box: How to get the invite code

Image for post
Image for post

HackTheBox is a great platform to sharpen your penetration skills, especially if you just started your first steps in this area.

After you enter to the website, you will choose one of two options: “INDIVIDUALS” or “COMPANIES & UNIVERSITIES”. Both will redirect you to a page that in the bottom have a link to join.

Invitation Link

After pressing on the link you will get this form:

Image for post
Image for post

But what is the invitation code? good question.

This is a small test to check that you have the curiosity and passion to be a penetration tester. You will need to find it yourself, as they wrote: “Feel free to hack your way in :)”.

Each participant will receive one of two challenges and we will cover both of them.

Before you are going to see the solutions, I recommend you to try to solve it by yourself as much as you can. Give it couple of days if needed, try to think where it can be with the tools you have.

Challenge #1

Hacking the way in

The intuitive thing to do is to type some code like “123” and see the error:

Image for post
Image for post

Nothing special..

Inspecting the box will show that there is a hidden value:

Image for post
Image for post

It looks like a code, great but when entering this code: 01tAnX4VFMfSd6q24be6sKPgPoSKKl5eJmk9Xqo8 to the “Invite Code” field, we will still have the same error.

Digging more

In the “sources” tab of the developer tools, we can see an interesting JavaScript file (“inviteapi.min.js”):

Image for post
Image for post

It doesn’t readable too much but there seems to be some functions:

Image for post
Image for post

One interesting function is makeInviteCode:

Image for post
Image for post

After we run this function we received a base64 string which after decoding it (using atob(..)) we received a hint what to do next:

Image for post
Image for post

In order to generate the invite code, make a POST request to /api/invite/generate

We will use a simple Ajax method to do it. We received the code in base64 and after decoding it we received the code itself:

Image for post
Image for post

After entering this code we will receive a congratulation message.

Challenge #2

Like in challenge #1 we will run the makeInviteCode() function but this time we will receive encoded text with ROT13:

Image for post
Image for post

We will use this website to decode it:

Image for post
Image for post

We will continue like we did in challenge #1:

Image for post
Image for post

In both challenge #1 and #2 we received the final code, after entering it we will get this message:

Image for post
Image for post

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store