HTB Invite Challenge

This is my writeup howto solve the Invite Challenge for the HacktheBox Cybersecurity Training Platform.

Keep Calm and hack this box ;-)

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field. Click below to hack our invite challenge, then get started on one of our many live machines or challenges.

Back to the invite challenge, everything starts with analyzing the source code. Browsers like firefox and chrome bring some tools by default which helps to analyze the source code of a webpage.

Have a closer look on the inviteapi.min.js script

There is an embedded script called „inviteapi.min.js“ which catched my attention!

From there we see a javascript function called „makeInviteCode“

I switch over to the console window and try to activate the function „makeInviteCode“

makeInviteCode()

Note there is a hint that the encryption is ROT13

We get an encrypted text back and a hint that it is the ROT13 chiffre.

So let’s decode that phrase:

That’s interessting. The decoded message is „In order to generate the invite code, make a POST request to /api/invite/generate

For me it took a litle while to figure out how to do that, but I could solve it, by fire up a linux terminal and use curl to send that POST request.

curl -XPOST https://www.hackthebox.eu/api/invite/generate

Have a look on the generated output. It's a base64 string

OK, it looks like that I get a base64 encoded string back. Let’s decode that also

online base64 encoder/decoder

decoded string

send decoded invite code