Cracking the Invite Code
I started HTB back in November 2019, at this time, it was right before I started week 9 of the Full Ethical Hacking Course - Beginner Network Penetration Testing (2019) 15hr course from The Cyber Mentor on YouTube. But since then he has released a 25hr up-to-date course over on Udemy Practical Ethical Hacking - The Complete Course, if you are looking to start out with learning how to get into hacking go check it out for yourself as there are many other Cybersecurity related courses on Udemy from other Instructors.
Now back to the program in progress... I really wanted to follow along during the 15hr course so, I had paused at the beginning of the 9th week and proceeded with trying to earn the invite code on HTB so that I could sign up for a Pro membership. I felt only about 25% confident that I could get this invite code, but I wasn't going to let that stop me from trying. Not knowing that much about website fuzzing, I was at a loss, but then the idea popped into my head hey, "I thought, let's try a little bit of SQL injection (SQLi) that I just learned about, yes that should do the trick!". So I proceeded to type it in as such: ' or 1=1; -- -
"OMG! You got #r00t! No, I'm j/k :) "
It all made since to me since there was a method that supported user input, this has to be the way in; I mean what could possibly go wrong? Which immediately after hitting enter it loaded another page that read:
Hahahaha... I thought that was a very humorous error, but then I continued down read as I read:
"You have been blocked because of trying to do something funny on our platform."
"Hmm... that looks interesting!"
Wait... what?!
This was an agonizing facepalm at it's best, but lesson learned, don't be such a script kiddie! Luckily for me I was using a VPN, so all I had to do was change my IP and I was back to poking around on Hack The Box's webpage in no time at all. Just sitting there for a couple of minutes thinking, "What's the best way to get that invite code?" with next to nothing to go off of and not knowing much of how to fuzz a webpage, I remembered that I could look at the website's source code by pressing F12 on the keyboard which brought up the browser's Dev Tools. I proceeded to read the HTML output on the Inspector TAB and found JavaScript tags: <script defer="" src="/js/inviteapi.min.js"></script>. Hmm... that looks interesting!
"I just started clicking around in all of the tabs"
I clicked on the Console TAB and I was greeted with a Skull & Bones banner with a message to let me know that I was on the right track. Still knowing little of what I was doing, I was giving my best effort and trying what very little knowledge that I had, before I would pull one of my cards to ask Google to bail me out. Then, I just started clicking around in all of the tabs to see if I could find the JavaScript file and ran across the JavaScript file under the following Debugger TAB.
"This javascript code looks strange... is it obfuscated???"
Looking at the JavaScript file, I was a bit intrigued because, I could tell that it was evaluating a function and making calls to other parts, but the message that stuck out the most was the comment: "This javascript code looks strange... is it obfuscated???"
Further reading into the JavaScript code I noticed that there were a few words that caught my attention: makeInviteCode, invite, and generate. I thought... "Hmmm perhaps I could enter these on the Console TAB to get my invite code".
So I proceeded by going to the Console TAB and just typing in the words one by one. Out of all of the words that I had chosen the makeInviteCode came back as a null function, while the other words just stated that they were not defined.
"Whoops, looks like something went wrong."
Then I proceeded to write word out and run it as an actual function: makeInviteCode() which further produced additional output that was encrypted via ROT13.
Not exactly knowing what ROT13 was, I further read the hint that was provided:
"Data is encrypted … We should probably check the encryption type in order to decrypt it…"
Now seemed like a good time to ask Google for some assistance! Googling ROT13 decryption I came across a website that would decrypt the message. After reading the message, I was confident that it was the extension file path to a URL.
So, I then proceeded by appending the file path onto the current URL and then all of the sudden I get a webpage displaying a big read banner:
I felt like I was so close to completing it, then I thought, the decrypted message did say make a POST request, but by typing the extension into the URL it's producing a GET request instead. So I proceeded to go to the Network TAB that I noticed it contained request made by the browser earlier while I was searching for the JavaScript file.
"I had finally made it and didn't give up!"
I searched for the GET request that responded with a 404 Error and then proceeded by pressing the Edit and Resend. That brought up a different view:
Under the Method field I proceeded by changing the input from GET to POST and clicked on Send. From there I scrolled down in the left panel to see the new request that just processed. Looking at the status I noticed that this time it read as 200. Clicking on the request, I could read the header information from the Headers TAB 200 OK, I then proceeded by clicking on the Response TAB, which had a part that displayed JSON collapsible entry followed by the body's information.
Which contained the code:
"Now is the moment of truth... "
Yesssss! I became excited at this point, because even though it took me several hours, I had finally made it and didn't give up! But now it stated that the code was encoded, so now I had to figure out how to decode the code. Time to go back to Google and try to find a way to decode the code I just got. I entered the word decode and clicked on search. Of course I went to the first entry that I had seen which read as decoder for Base64. I thought, "Let's try it!", so I proceeded to enter my code and clicked on the button and out came a code that I was used to seeing that looked like a software license key:
Staring at the code, I was thinking, "Could this be it? Could this be the final moment that I have been waiting for?", I won't know until I enter the code and click on the Sign Up button:
Now is the moment of truth...
FINALLY I DID IT!!!!! After spending 8 hours, on getting the invite code, I now look back and realize that it can be accomplished within only a few mins time, especially since that I have gained a lot more knowledge since then.
Overall, the moral of my story is not about how many times you have failed, but how many times you refused to give up until you accomplished your goal. Life is not only about the successes, but the quality lessons that can be learned from all of the failures, in which allows us to gain the knowledge for personal growth.
I hoped you enjoyed my blog, please consider commenting or subscribing for future blog post! Up next, my journey continues with the next blog of eLearnSecurity's PTS course, stay tuned for more!
Comments