Skip to main content

Hack Invite Code To Register - Hack The Box


Recently I found another website that have more advanced hacking challenges...I know I need to cover other websites which i have promised you but something in this website is interesting.For registering in this website,you need to hack and get an invite code.So, I thought to deviate from our regular topic and talk about it.
The WEBSITE is

HACK THE BOX

They are asking invite code for registering.As usual i checked source-code of the page.Since I found nothing suspicious,I started looking at JavaScript and found one that seems can help me.


<script defer src="/js/inviteapi.min.js"></script>

I visited the js..There is a script and i found some keywords from that like "log","invite","verifyInviteCode","makeInviteCode"
I went back to our registration page now right clicked and selected inspect.

SELECT CONSOLE


 Try typing in each keyword and check if function exist.


I got output when i checked verifyInviteCode();
But, there was no help from that

when I checked makeInviteCode();
I found something encrypted!
Encryption type is specified in it as base64.
so i used an online base64 decoder for decoding it!

The information i got was:

In order to generate the invite code, make a POST request to /api/invite/generate

hurreehh!! we are almost there now we know where to look for
but if you directly visit the page by 
https://www.hackthebox.eu/api/invite/generate

you will get error because its specified clearly , we need to use a post request!
How to do it? no need to code something new its right in our reg page
in the page, right click and select inspect
you will see
change form action to:

Now, type something in input and hit sign up.
BANG!!

you get something informative!!

I got this


{"success":1,"data":{"code":"UkdSVFotTk9aQkUtTllCSlktTEVOVFMtS0RUWVA=","format":"encoded"},"0":200}

We have the code but in encrypted form!
To find which encryption is used, goto

Hash Type Checker

now paste the code and check which is encryption type,I got base64
then goto 

Base64 Decode

for decoding base64 and i got my invite code!
RGRTZ-NOZBE-NYBJY-LENTS-KDTYP


Isn't it  a spoiler?
No! the invite code differ for each person and so you will get your own code!
GOOD LUCK!

Comments

Popular posts from this blog

Hack This Site! Realistic 1-Uncle Arnold's Local Band Review

Uncle Arnold's Local Band Review  Your friend is being cheated out of hundreds of dollars. Help him make things even again!
After Finishing our basic missions and JavaScript missions we gained a lot of confidence.Now it is time to test in real life scenario. This is where Realistic missions comes in handy.
==================================================

It Says:


From: HeavyMetalRyan 
Message: Hey man, I need a big favour from you. Remember that website I showed you once before? Uncle Arnold's Band Review Page? Well, a long time ago I made a $500 bet with a friend that my band would be at the top of the list by the end of the year. Well, as you already know, two of my band members have died in a horrendous car accident... but this ass hole still insists that the bet is on!

I know you're good with computers and stuff, so I was wondering, is there any way for you to hack this website and make my band on the top of the list? My band is Raging Inferno. Thanks a lot, man!

===========…

HackThisSite Realistic Mission 2

Chicago American Nazi Party Racist pigs are organizing an 'anti-immigrant' rally in Chicago. Help anti-racist activists take over their website!  ================================================
From: DestroyFascism 
Message: I have been informed that you have quite admirable hacking skills. Well, this racist hate group is using their website to organize a mass gathering of ignorant racist bastards. We cannot allow such bigoted aggression to happen. If you can gain access to their administrator page and post messages to their main page, we would be eternally grateful.
 ================================================ So a guy named DestroyFascism  is asking for our help.Lets visit the website and check the steps we did in previous missions to find vulnerability. Right click and select view source.There is only 52 lines of code. Check the code for suspicious data.I found something!

CODE ------------------------------------------------------------- <a href="update.php">…