Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.
As an individual, you can complete a simple challenge to prove your skills and then create an account, allowing you to connect to our private network (HTB Labs) where several machines await for you to hack them. By hacking machines you get points that help you advance in the Hall of Fame.
I have started to solve the challenges one by one.
Website Link: https://www.hackthebox.eu
To take Challenges you must register for the website to access their network. But to Register you need to complete a challenge only then you can register. I know right :) So to register yourself you have to complete the first challenge which is to hack the invite registration procedure.
The challenge is available https://www.hackthebox.eu/invite. So Let's start.
HACK THE INVITE CHALLENGE:
So The first Page that shows up is a black themed page which asks to enter the invite code. which we do not have obviously. So I start digging the code for any hint by the inspect element option provided by the Google Chrome browser by default. A URL of a JavaScript file is with a name inviteapi.min.js can be seen in a script tag.
Opening this file presents a short function in which operations are performed. There I spotted a makeInviteCode which probably be included in the main invite page.
So I opened a console tab in browser on the main page and wrote makeInviteCode. The option suggested a function named makeInviteCode(). Running it returned a JSON object.
This object contains the following fields:
1. data
2. enctype
data contains an arbitrary string and enctype field describes which algorithm it is encrypted with which says "BASE64".
NOTE: It is worth mentioning here that Base64 is an encoding technique. Not an encryption technique.
So I copied the string and used the builtin linux tool to decode this string with this command
echo <arbitrary-string> | base64 -d
which decoded to the following string:
"In order to generate the invite code, make a POST request to /api/invite/generate"
So now we know that sending a POST request to /api/invite/generate will generate the invite code for us. A POST request can be seen in the code on the Sign Up button. By modifying the URL in the action field we can infact send a POST request to that URL. So changing the URL to https://www.hackthebox.eu/api/invite/generate in the browser I hit the Sign Up button on the web page. It presented a pop that I need to enter something in the text field. Entering garbage data and trying again opened a page with a JSON object with two fields:
1. Code
2. Format
The code contains the data in Base64
NOTE: There is a very high chance that a string ending with and "=" character is encoded with Base64
So again Decoded it with Base64 which yielded a string separated with 4 dashes which looks like a licence key/code. So, Tried this code by putting it in the invite code text field on the main page accepted the code and opened a registration form which indicates that the challenge has been completed as we have successfully "HACKED" the invite procedure.
I have started to solve the challenges one by one.
Website Link: https://www.hackthebox.eu
To take Challenges you must register for the website to access their network. But to Register you need to complete a challenge only then you can register. I know right :) So to register yourself you have to complete the first challenge which is to hack the invite registration procedure.
The challenge is available https://www.hackthebox.eu/invite. So Let's start.
HACK THE INVITE CHALLENGE:
So The first Page that shows up is a black themed page which asks to enter the invite code. which we do not have obviously. So I start digging the code for any hint by the inspect element option provided by the Google Chrome browser by default. A URL of a JavaScript file is with a name inviteapi.min.js can be seen in a script tag.
 |
| URL seen by inspect element |
This object contains the following fields:
1. data
2. enctype
data contains an arbitrary string and enctype field describes which algorithm it is encrypted with which says "BASE64".
NOTE: It is worth mentioning here that Base64 is an encoding technique. Not an encryption technique.
So I copied the string and used the builtin linux tool to decode this string with this command
echo <arbitrary-string> | base64 -d
which decoded to the following string:
"In order to generate the invite code, make a POST request to /api/invite/generate"
So now we know that sending a POST request to /api/invite/generate will generate the invite code for us. A POST request can be seen in the code on the Sign Up button. By modifying the URL in the action field we can infact send a POST request to that URL. So changing the URL to https://www.hackthebox.eu/api/invite/generate in the browser I hit the Sign Up button on the web page. It presented a pop that I need to enter something in the text field. Entering garbage data and trying again opened a page with a JSON object with two fields:
1. Code
2. Format
The code contains the data in Base64
NOTE: There is a very high chance that a string ending with and "=" character is encoded with Base64
So again Decoded it with Base64 which yielded a string separated with 4 dashes which looks like a licence key/code. So, Tried this code by putting it in the invite code text field on the main page accepted the code and opened a registration form which indicates that the challenge has been completed as we have successfully "HACKED" the invite procedure.
Comments
Post a Comment