Okay, guys! So I decided that I'll solve Hack The Box challenges but I can't see a signup option. Can you? So that what brings you here. Oh but I do see invite challenge and we need to solve it in order to make an account. Basically, it's a test to check whether you can worthy to have an account on this site π. Alright, jokes apart, and let's jump into it.
Breaking In
So it says hack this page to get invite code. Sure! one and the only thing that comes to my mind is Developer tools. Let's open it up.
Ah! and here we have a big skull trying to tell us something. So there is an interesting JavaScript file which we need to find. Let's have a look at the network panel and filter out JS files.
The name of the file is eye-catching, inviteapi.min.js. Feels like this file has something to do with the invitation code. Let's open it up and it's minified/obfuscated (it's unreadable). You must be thinking, "then how do we understand what's it doing?". Here is the answer:
and I'll set the breakpoint at line 24. Why? because it is returning some value and possibly it can be the invitation code. Now after setting the breakpoint refresh the page and you'll see the return value as shown below.
Oops! looks like I was wrong π. This code returns a function rather than an invitation code but the name of the function sounds as if it generates the invitation code. Let's call the function in the console.
makeInviteCode()
and here we have something. Oh, it's an encrypted string, and notice it also mentions the algorithm it's encrypted with: ROT13. Head over to rot13.com and decrypt it.
So it turns out this is also not the invitation code. Decrypted string says that we need to make a POST request to /api/invite/generate
. Let's do it using the fetch()
API.
fetch('/api/invite/generate',{
method: "POST"
})
.then(response=>response.json())
.then(data=>console.log(data))
and we get following result:
okay, so we got another object as a response. Here we can see some string. Ah! this is the invitation code or is it? Notice object also has a key format=encoded
which indicates this string is encoded, possibly base64. Let's give it a try.
You can use any online base64 decoder or use the function atob()
right in your console to decode the base64 string.
Now the final result looks like an invitation code.
It was fun and I think it is a clever idea as well to implement such a challenge right at the login. Anyways this is the end of this post. See you on the other end.
"A man who flies from his fear may find that he has only taken a shortcut to meet it." -Sador, Children of HΓΊrin
Top comments (0)