getting access to the platform “hack the box” ?

Posted by

Hack the box is an online platform that allows you to improve your pen testing skills using different labs previously developed with different vulnerabilities/issues to play with.

If you want to be a member of this site you will need to do some steps to gather the specific information that you need “invitation code” to get access to the platform. This is not a simple site where you simple click, create your profile and that is all, instead of that you will need to think about how could you generate the specific code the website is requesting to continue and create your profile.

Getting access on HACKTHEBOX with FIREFOX & Kali Linux.

2018-09-10 20_08_47-Hack The Box __ Can you hack this box_
Target

Pre-requisites

– Firefox
– Kali Linux
– The Objective (https://www.hackthebox.eu/invite) at this time. A Website.

1. Basically the first step here is to analyze the target, at this time it is a website, so what is the code of the page ? what it contains ?

To do that, you can use Firefox to inspect the page, “we are looking for some information to get the activation code” so, check the page, analyze the different files and code you have there.

For example,

a. Files you will find

2018-09-10 21_13_17-Hack The Box __ Can you hack this box_
Javascript files

b. Analyze/Open every JavaScript file to see what it does, to open the files you can do two things,

b.1 Right click and copy the link address
b.2 Add the name of the file to the end of the URL

2. The file “/js/inviteapi.min.js” show some important information that you can play with, for this lab the code “makeInviteCode” is probably the option we are looking for.

3. Move to the console tab of the developers tools and invoke the “makeInviteCode();“, typing the “makeInviteCode();” and hitting on enter. You will get a response like the following example, (please expand all the information)

undefined
{…}

0: 200

data: Object { data: “SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9T

VCByZXF1ZXN0IHRvIC9hcGkvaW52aXRlL2dlbmVyYXRl”, enctype: “BASE64” }

success: 1

<prototype>: Object { … }

4. The information you have on “data” without (“”) is encoded on “BASE64” format as you can see on “enctype:”, so you will need to decode that information to continue. (use any of the decoders for BASE64 format that you can find searching on google)

5. When you decode that number you will receive a plain text like the following,

“In order to generate the invite code, make a POST request to /api/invite/generate”

6. If you check, that result will give you the next step. You need to do a POST request in order to get the invitation code. You can do that request using two options,

c. Using the Firefox add-on  “hackbar”
d. Using the command “curl” to send the request.

Example using curl,

To do that, open the command line and type the command like the following image,

2018-09-10 18_51_12-mykali [Running] - Oracle VM VirtualBox
POST request
You will get a response like the previous image, one more time you will receive some encoded data that you will need to decode. Again use the same decoder from step 4, and decode the string “V0JNRVQtR1JGUVUtV1ZKS1UtS09XU1ctUlVWSU0=“.

If everything was successful you will receive the code that you were looking for,

“WBMET-GRFQU-WVJKU-KOWSW-RUVIM”

With this code you can go back to the website, enter the code and sign up to enjoy the platform.

With that example you know this platform is not a simple platform, the first step requires you to think about how to get the invitation code to be a member and you need to think about it, apply some different techniques etc.

Enjoy.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s