Hi all!
Have you heard about CTF? if not this is the right place for you. Today I’m going to walk you guys through the login process of hack the box pen-testing labs.
What is CTF?
Capture the Flag (CTF) is a special kind of information security competitions. There are three common types of CTFs: Jeopardy, Attack-Defense and mixed.
Jeopardy-style CTFs has a couple of questions (tasks) in a range of categories. For example, Web, Forensic, Crypto, Binary or something else. A team can gain some points for every solved task. More points for more complicated tasks usually. The next task in the chain can be opened only after some team solves the previous task. Then the game time is over the sum of points shows you a CTF winner. A famous example of such CTF is Defcon CTF quals.
Well, attack-defense is another interesting kind of competitions. Here every team has own network(or only one host) with vulnerable services. Your team has time for patching your services and developing exploits usually. So, then organizers connect participants of competition and the war-game starts! You should protect own services for defense points and hack opponents for attack points. Historically this is the first type of CTFs, everybody knows about DEF CON CTF – something like a World Cup of all other competitions [2].
What is Hack the Box?
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated. Some of them simulating real-world scenarios and some of them leaning more towards a CTF style of challenge [1].
If you have tried to join the hack the box labs, you might have seen that you have to hack your way into the website. You have to somehow find an invitation code to get you inside.
Let’s get started!
First of all, in these kinds of situation first thing you have to do is to go to the page source. perform a CTRL + Shift + I or right click and go to inspect element to view the page source.
As you guys can see, there’s a script called /js/inviteapi.min.js. Let’s see whats on there. Go to https://www.hackthebox.eu/js/inviteapi.min.js to view the JS file.
At the end of the JS file, there’s something called makeInviteCode which kind of looks fascinating. What you have to do now is that, go to developer tools and type makeInviteCode() and press Enter.
You will get an Http 200 success status and some data as shown above. Click on the Object to view data.
As you guys can see, the given data is encoded in Base64. To decode that go to any base64 decoder and copy and paste the given data. I decoded using this site https://www.base64decode.net/.
As mentioned in the message, we have to make a POST request to https://www.hackthebox.eu/api/invite/generate in order to generate the invitation code. To do that, we have to use the curl command using the terminal.
There, you will see another code which is again encoded. If we try to decode it again using base64 we might get our way into the invitation code.
There we go! we hacked ourselves into the invitation code. If you copy and paste this code to the text box given in that website, we will be able to log into the system.
After providing all the necessary information, you can successfully log into to Hack the Box website.
Stay tuned for more cool stuff!
References
[1] https://www.hackthebox.eu/
[2] https://ctftime.org/ctf-wtf/
CREATIVE MESS 