Writeup: Hack The Box invite challenge

on

Hack The Box is an online CTF website where you can try to solve challenges and play with the machines available there.

[P.S: I deadass did not link y'all to my HTB profile in a blog doing exactly just that so my name in HTB is FINX]



There is a lot of online CTF website that you can enter and solve the questions in that website, here's the sauce:

https://fareedfauzi.gitbook.io/ctf-checklist-for-beginner/

But the difference between Hack The Box and the rest is (to my knowledge), Hack The Box is the only website that you need to pass a certain challenge to sign up to the page

This specific challenge is told to me by my uni lecturer on my first day at uni(subject registration day) and yes, that's my unofficial starting point of being curious about CTF stuff.

So, for this post as the title suggest I will write a writeup on my take to solve this challenge.

You can try the challenge here: https://www.hackthebox.eu/invite

The interface


As you can see here, our flag is the invite code. You can't recycle the old invite code so you need to hack your way through to get em'

What if we press the hint button?


You can only check the console by Inspecting the website. So, ctrl + shift + I  or just right click and just choose inspect to do so.

You will get this:

Let us go to the source tab. You'll see file invite, you open em'. You'll get this:


That is just an HTML file. So, not really helpful. 

So, let us try open the inviteapi.min.js, we'll get this:

Ok, there's a comment there. //This javascript code looks strange....is it obfuscated???
This suggests that we have to deobfuscate the javascript code.

Obfuscated here means:

The result of deobfuscated javascript code is:


According to this website, we need to make a POST request on /api/invite/how/to/generate to get the invite code.

There are multiple ways for you to make a POST request but I will make the request via Kali Linux distro that I have in vmware using this specific command:

curl -XPOST https://www.hackthebox.eu/api/invite/how/to/generate

Here's the output:

So, as you can see we have some type of data encrypted in Base 64.

We need to decrypt it first.

We'll get:

We need to repeat the process but using https://www.hackthebox.eu/api/invite/generate

And again we need to decode the data 

We've got some sort of code here, let us test in the actual HTB website


After I put the code, it will show this specific page where you can enter your details (email and such)



 Yea, welcome to Hack The Box 

Looking forward to see ya' there :)























Comments

Post a Comment