DEV Community

Cover image for Hack The Box: Invite Challenge
Souvik Kar Mahapatra
Souvik Kar Mahapatra

Posted on • Updated on

Hack The Box: Invite Challenge

#security #hackthebox #ctf #cybersecurity

htb-invitation-chal.png

Okay, guys! So I decided that I'll solve Hack The Box challenges but I can't see a signup option. Can you? So that what brings you here. Oh but I do see invite challenge and we need to solve it in order to make an account. Basically, it's a test to check whether you can worthy to have an account on this site 😂. Alright, jokes apart, and let's jump into it.

Breaking In

So it says hack this page to get invite code. Sure! one and the only thing that comes to my mind is Developer tools. Let's open it up.

invitation-console.png

Ah! and here we have a big skull trying to tell us something. So there is an interesting JavaScript file which we need to find. Let's have a look at the network panel and filter out JS files.

invitation-network-tool.png

The name of the file is eye-catching, inviteapi.min.js. Feels like this file has something to do with the invitation code. Let's open it up and it's minified/obfuscated (it's unreadable). You must be thinking, "then how do we understand what's it doing?". Here is the answer:

dev tool

and I'll set the breakpoint at line 24. Why? because it is returning some value and possibly it can be the invitation code. Now after setting the breakpoint refresh the page and you'll see the return value as shown below.

invitation-debug.png

Oops! looks like I was wrong 😖. This code returns a function rather than an invitation code but the name of the function sounds as if it generates the invitation code. Let's call the function in the console.

makeInviteCode()
Enter fullscreen mode Exit fullscreen mode

invitation-mic.png

and here we have something. Oh, it's an encrypted string, and notice it also mentions the algorithm it's encrypted with: ROT13. Head over to rot13.com and decrypt it.

invitation-level-1.png

So it turns out this is also not the invitation code. Decrypted string says that we need to make a POST request to /api/invite/generate. Let's do it using the fetch() API.

fetch('/api/invite/generate',{
    method: "POST"
})
.then(response=>response.json())
.then(data=>console.log(data))
Enter fullscreen mode Exit fullscreen mode

and we get following result:

invitation-final.png

okay, so we got another object as a response. Here we can see some string. Ah! this is the invitation code or is it? Notice object also has a key format=encoded which indicates this string is encoded, possibly base64. Let's give it a try.

You can use any online base64 decoder or use the function atob() right in your console to decode the base64 string.

Now the final result looks like an invitation code.

It was fun and I think it is a clever idea as well to implement such a challenge right at the login. Anyways this is the end of this post. See you on the other end.

"A man who flies from his fear may find that he has only taken a shortcut to meet it." -Sador, Children of Húrin

Top comments (0)

Read next

ietxaniz profile image

How to implement HTTPS in Local Networks Using Let's Encrypt

Iñigo Etxaniz -

me_priya profile image

Discover the Difference Between Port 80 and 443

Priya Mervana -

yayabobi profile image

7 Essential SaaS Security Best Practices

yayabobi -

hamed-fatehi profile image

Demystifying OAuth 2.0 with a Clubbing Analogy

Hamed Fatehi -