Hacking my way into HackTheBox(HTB)
Hackthebox is one of the most incredible platforms that provide different challenges inside a vulnerable box or a vulnerable virtual box image. People looking for getting trained for certifications such as OSCP or any other type of certifications can easily work on a couple of boxes and understand the working of cracking that box to find flags, just like a CTF. Well, in other words, HTB is definitely a CTF platform. For one to access any box in HTB, a VPN connection is required. The boxes are already hosted on the HTB local servers and since these boxes are intentionally made vulnerable, the chances of someone to hack into the platform is high and hence they took the precaution to create virtual hosts in their own network entirely sealed off from the external network.
Once a connection is established, one can access any server depending upon their subscriptions(yes, a paid plan is there for choosing any servers, and a free version for choosing specific servers). Once you have the access to the server you can start cracking the box from performing a recon to custom exploitation(No DDOS :D). What if you are a not experienced person and the usual sign-in method doesn’t work on this platform? Yes, it’s a tricky process but one of the easiest though if you can walk around the platform using the developer tools provided by the browser.
This blog is the writeup containing how I performed the process of getting the invite through hacking, that’s what they say ;-) Quick note, this is not my first time on the platform, I have been an active member for the past 3 years, and have solved a lot of retired boxes and active boxes from HTB.
Start hacking!!
The first step would be to access the official HTB website, which is on the domain hackthebox.eu. Once you are on the landing page, you will be able to go through what HTB is and how it works. For me, I will be focusing on the “Join” button provided in the second section of the page.
Once I clicked it, the next page was to insert the invite code / FLAG. This is basically a challenge where I need to find a way to retrieve the flag by hacking this page.
TipJavascript and developer tools really help this challenge.
Now, I can start hacking this page. There might be different approaches for solving this challenge, but I will be demonstrating the way I cracked the invite and extracted the FLAG.
To inspect the underlying code, I right-clicked the page and selected the Inspect Elements option from your browser.
A window with code of the current page and some other tools will appear. If you are a developer, you might be familiar with this tool.
After that, I started expanding this HTML code from the inspector and started looking at it to see if there is any FLAG embedded inside the normal HTML code either as a hidden attribute of commented out since the chance of showing the code will make is extremely easy.
While going through the code, at the bottom of the HTML page, I came across an inviteapi.min.js, javascript minified file which seemed quite odd at first, also it did have a label with invite API, so I guessed there might be something inside there that will be related to generating the FLAG / invite code. Hence I clicked on that link and a minified version of a javascript file that cannot be read simply appeared.
Since I was using the Firefox browser, I was able to use an inbuilt option to make the code in a readable form.
I started looking at the logic and I came across a statement at the end of the script which looked just like a function call.
And across that, I saw a name makeInviteCode.
So I decided to test this out. I went to the console from the Inspector. And saw this.
I guess I was on the right path.
I decided to try the function call, so I typed the function call makeInviteCode() on the console.
The function call returned a 200 success status which means the function call was a success. Hence I clicked the header of the returned object and inside the data was a hash or some type of encryption.
As you can see in the above image, the encryption type was BASE64, you can learn more about it on Wikipedia.
So to decrypt it, I used a tool that could be found online by searching on Google, which was the Base64 decryptor. Hence I fed the ciphertext into the tool and it generated the text as given below:
The decryption says:
To generate the invite code, make a POST request to /api/invite/generate
The result was another hint and not really a FLAG. But it did say that a request was needed to create the invite code. Hence to create one, I went to the Inspector tool on the browser and decided to manipulate the underlying form code that submitted the FLAG.
The form code was:
And you can see that the form was sending the invite code that we provide in the form to the /invite, and in the hint, we saw that to generate the invite code, we need to send a request to /api/invite/generate. Hence I changed the action from /invite to /api/invite/generate. Also, the request type should be a POST, which was already POST on the webpage.
Now to generate the Invite code, we need to activate the request, which can be done by randomly feeding some values to the form and submitting it.
The result was directed to another web page with a return value as JSON format, provided below.
Here we can see another data section with code and format. Again, it was some kind of encoding. For decrypting this, I fed this to the online tool and decoded the underlying message.
The result looked like an invite code and hence I knew that it was the FLAG.
I decided to try this out and I provided the invite code onto the form.
And the page got redirected to, another page where it showed Congratulation! which meant, it was a Success!! and I got my access into HTB!!. After that, I had to provide my user credentials as an initial user to access the website.
That’s how I got the invite code to practice network penetration testing and vulnerability analysis on different boxes or machines.
Hope you enjoyed it.