There are some really cool IT-Security training platforms on the net, where you can practice and train your skills. Today I’ll introduce one of this amazing platforms called «Hack The Box«. If you want to join, you can’t just sign up, you need to solve a challenge first, before they let you in. If this is a spoiler for you, then please stop and try to hack your way in first before continue with reading 😎
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field. Click below to hack our invite challenge, then get started on one of our many live machines or challenges.
I don’t have much experience yet in breaking web applications, but I remember back on a time where broadband internet connections were far away and I had to dial in with a 56k modem to access and explore the internet. I’ve discovered some sites like this one where you had to find a way to bypass a password prompt. If you’ve solved one you did enter the next level and every new level got more difficult. Those challenges caught my attention and I had really fun to solve some of them…
Back to the invite challenge, everything starts with analyzing the source code. Browsers like firefox and chrome bring some tools by default which helps to analyze the source code of a webpage.
There is an embedded script called «inviteapi.min.js» which looks interessting.
I switch over to the console window and try to activate the function «makeInviteCode»
We get an encrypted text back and a hint that it is the ROT13 chiffre.
So let’s decode that phrase:
That’s interessting. The decoded message is «In order to generate the invite code, make a POST request to /api/invite/generate
For me it took a litle while to figure out how to do that, but I could solve it, by fire up a linux terminal and use curl to send that POST request.
curl -XPOST https://www.hackthebox.eu/api/invite/generate
OK, it looks like that I get a base64 encoded string back. Let’s decode that also
Yeah and finaly it looks like the code I need 🙂