# HTB Invite Challenge

> Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field. Click below to hack our [invite challenge](https://www.hackthebox.eu/invite), then get started on one of our many live machines or challenges. ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FKj95hZ975MZyLaSxdHEG%2Fivite_challenge1-1024x109.png?alt=media\&token=675dc1ab-665b-4d39-8466-e1d8a4af6efe)

Back to the invite challenge, everything starts with analyzing the source code. Browsers like firefox and chrome bring some tools by default which helps to analyze the source code of a webpage.

Have a closer look on the inviteapi.min.js script

There is an embedded script called „inviteapi.min.js“ which catched my attention! ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FAnG4bACFO4k8KZesusaQ%2Fivite_challenge4.png?alt=media\&token=afcf76f4-16e5-4541-8d38-b902eac1eb25) From there we see a javascript function called „**makeInviteCode**“ I switch over to the console window and try to activate the function „**makeInviteCode**“ `makeInviteCode()` ![Note there is a hint that the encryption is ROT13](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FArANWBsKtuJJkorgX7Jw%2Fivite_challenge5.png?alt=media\&token=8d5fcfcb-f3eb-4753-8b7f-853f563ba873) We get an encrypted text back and a hint that it is the ROT13 chiffre. So let’s decode that phrase: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FJ1ZkPE5W8ab6KMpqp98B%2Fivite_challenge6.png?alt=media\&token=1d7bc9e7-a996-4b3e-8981-80f8d8111de6) That’s interessting. The decoded message is „In order to generate the invite code, make a POST request to /api/invite/generate For me it took a litle while to figure out how to do that, but I could solve it, by fire up a linux terminal and use curl to send that POST request. `curl -XPOST https://www.hackthebox.eu/api/invite/generate` ![Have a look on the generated output. It's a base64 string](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FfT1hSn3YMwskN8SKYEJ4%2Fivite_challenge7-1024x226.png?alt=media\&token=1865d161-2c86-4e51-b1fc-098775c8f82e) OK, it looks like that I get a base64 encoded string back. Let’s [decode](https://base64decode.org) that also ![online base64 encoder/decoder](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FiB5Z60is7vZZ4GExpFnH%2Fivite_challenge8.png?alt=media\&token=ff716b59-fefb-4ec0-b0d7-7b4a4b9637b2) ![decoded string](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FKeLLaIN8zIcis93Zy5PN%2Fivite_challenge9.png?alt=media\&token=e5be83ea-9711-4115-b71f-b602cd4cbc41)