So you don't have an invite code..Why Not Hack IN?

Imagine a scenario where there’s a website which you want to join but can’t because you need an invite code. Let’s also imagine that you have permission to hack in this scenario. So the question is, where do you start?

2019-06-05 09_45_28-Hack The Box __ Can you hack this box_.png

Check the page’s source code to see what generates invites. In this case you can tell it’s javascript because of this line in the code:

<script defer="" src="/js/inviteapi.min.js"></script>

The javascript looks like this:

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}',24,24,'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'),0,{}))

Don’t be overwhelmed! It may seem like a lot of code but notice the highlighted text in the last line. This might be easier than expected.

Try running this code in a console of browser.

2019-06-05 09_57_56-Hack The Box __ Can you hack this box_.png

The code even tells you this string is base64 encoded, how nice of the author!

Once you decode this string you get the following text:

In order to generate the invite code, make a POST request to /api/invite/generate

Now use the RESTED add on in Firefox to send a POST request to that location.

2019-06-05 10_01_27-RESTED Client.png

Taking an educated guess, you try decoding with base64 again.

Success! The invite code is: TIZHJ-KUIWA-EGQJZ-ZVHSP-OUHVC

You can now register for an account and access the website without a real invite.

Congratulations you’ve hacked in!

2019-06-05 10_05_06-Register __ Hack The Box __ Penetration Testing Labs.png