In the upcoming months I plan to do a series of 30 day challenges, both in my career and personal life, and for the month of September I am practicing my penetration testing skills. Hack The Box is a free, online penetration testing lab that lets newbies and advanced users alike practice their skills. I like free and I like practicing, so this was a perfect place to begin LOL.
To get started and register an account with the site you first need to enter an invitation code. The site where you enter this code is here. Naturally, one would assume you would get invited by another person but nope. You have to figure out how to generate an invite code yourself and get in. It can be tricky for newcomers so here's how I was able to navigate it:
1. Gathering more information is one of the first steps in performing a penetration test. You must perform reconnaissance in order to gather more information about your target to reach your goal. In this case our target is the website and our goal is to generate an invite code. When you look at the invite page, there isn't much to go on from the front-end.
2. So maybe there is more information if we inspect the code on the page? You can do this by right clicking on the website and choosing the Inspect option. When you right click on a web page a powerful tool opens up that allows to view and edit elements on a page.
3. BINGO! Look, we found a message under the Inspect>Console page! Now we know our first challenge is to "hack" this page. Pretty cool picture but again, not much useful information here. Let's go back to the Inspect>elements page.
4. Ok, ok. We have a bunch of different elements here. Elements are lines of code that correspond with different images, video, fonts and other features that make up a website. In this case, something of interest for us is the script with source as: /js/inviteapi.min.js. The other two URLs didn't produce any information so let's see what happens when we add this to the original URL: https://www.hackthebox.eu/js/inviteapi.min.js
5. Ok, ok again - we are getting somewhere. Now most of this code doesn't interest me but MakeInviteCode looks like a clue. We are not yet at the step to use the verifyInviteCode. Will this make the invite code for us to get in? Let's head back to the Inspect tool and type it in at the bottom of the tool.
6. Once we entered the MakeInviteCode() we see a success message was our output. Along with this success message we see a long string of characters in red, along with an enctype. The enctype attribute specifies how the form-data should be encoded when submitting it to the server. Therefore we can deduce that this message in red is encoded and we must decode the message to continue our quest.
7. Since the enctype is BASE64 lets google a decoder that can do this for us. After entering only the message in red into the decoder, the following message was produced:
Nice, we found our next clue. We must make a POST request in order to generate the invite.
A POST request is method via HTTP( The Hyper Text Transfer Protocol - the beginning of the URL when you type in http(s)://www.Facebook.com for example) that sends data to the server and can possibly elicit a response. Cool, now we know to fire up our terminal, or command line, and curl a POST request using the URL string they provided.
Another success and another encoded code. Let's bring it back to the decoder to see if reversing it does anything.
Voila! Invite code has been generated. From here you can copy and paste this back in the Hack the Box invite page and register! Once registered you now have access to a host of labs to play with! Good luck and happy testing!
- Domo