There are a lot of resources to help me in my journey to become a penetration tester, and Hack The Box was highly recommended by a number of people for me to use.

Straight off the mark, they’re testing you.

Clicking the link takes you to a nice little invite form.

So let’s take a look at the source code. In Chrome, I’m gonna open up the source code with Command + Alt + I (Ctrl + Shift + I for Windows).

Let’s examine what’s inside here.

Dear god how terrifying. I really can’t be bothered trying to understand this code, but I do see eval() , which means that it’s going to run commands. I see that there’s a big string that’s being split in line 26. Presumably, each of those is a command.  makeInviteCode seems like it might generate a code.

So let’s try running it. In Chrome, we’ll open up the console with Command + Alt + I (Ctrl + Shift + J for Windows):

Thanks uBlock

Let’s run the  makeInviteCode() function and see what happens:

So something’s happened. Let’s see if anything happened on the network (two keyboard shortcuts is enough for today, just click the Network tab):

Interesting. So a packet was created. We’ve now got a string of data encoded in ROT13 (Rotate 13, just shift the letters by 13). So let’s decode that. We could do this by hand, but why bother when rot13.com exists.

Alrighty. We’ve already got a form on the page that makes POST requests, so let’s just use that. Using the element inspector (Google the shortcut), we can see that our form sends a POST request to https://www.hackthebox.eu/invite .

Let’s edit that to https://www.hackthebox.eu/api/invite/generate . Just double click the text to make it editable.

Now when we sign up with our form, we’re going to generate a code rather than try to verify the code. This is because we’re now telling the server to run a different script on submission.

We got a code!

Now let’s put that in.

Let’s take a look at the data we got. We have a code, which doesn’t work. So what else is there? There’s more information in the packet. It’s in an encoded format! One of the more common encodings (and which regularly ends in =) is base64. So let’s use base64decode.org to get our code.

Let’s try again.

Woo! We can now do the things!

Now I can do some blogs about some of the CTFs within. Stay tuned!