Master your skills

Learning platforms that will help you to stay sharp

There is wealth of resources available to anyone willing to practice their newly acquired skill. Without them we wont be able to progress. The best thing about the resources in this field is that many are free and widely available. Besides an open source operating system (Kali, Parrot OS etc) at your disposal there are platforms out there designed to help you become much better at what you are doing now. Practice makes perfect!

HackTheBox

Joining page to Hack The Box
When a life gives you lemons grab a tequilla and some salt, this is going to be fun!

What I like most about this portal was an invitation to .. hack your way in. You know these guys mean business when your first challenge is to gain access so you can practice your hacking ju-itsu. It is this moment that separates men from the boys ( or women from the girls :). Your first "hacking" experience starts here!

I have noticed that in this field you need to be curious about everything you see in front of you. Let's look inside and see what we can learn.

view-source:https://www.hackthebox.eu/js/calm.js

Some nice touches left by the makers.

Exploring further links we discover a code that looks like it might be responsible for an invite code generation:

view-source:https://www.hackthebox.eu/js/inviteapi.min.js

Click to enlarge

Above code looks like it has been obfuscated, perhaps packed ? Thankfully there are tools that allow us to demystify the code so it is more readable. This is where JavaScript beautifier comes into place:

Output of the unpacked command we placed in the form:

Now, of course I do not know java programming language well enough to know how to code (yet). When I looked at it for a first time, it was like reading a book in a foreign language. Gibberish at best! However, once you look at the code over and over again, you begin to see familiar keywords, then maybe some functions that point towards certain instructions of what the code is doing. Here we are looking for any clues that will reveal the Invite Code and it seems like this part of the code can make it happen for us: function makeInviteCode () .

We learn that the code needs a "POST" request to be sent to https://hackthebox.eu/api/invite/how/generate to generate the code?. We can accomplish this task with curl.

DESCRIPTION

curl is a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP).

In this case we specify -X and the request method we got from java code, in this case a POST request.

curl -X POST https://www.hackthebox.eu/api/invite/how/to/generate

Output of the command:

base64 encoded mystery

With this HackTheBox challenge as well as many other situations we are going to see Base64 is used quite often.

Base-64 encoding is a way of taking binary data and turning it into text so that it's more easily transmitted in things like e-mail and HTML form data.

Wikipedia

echo SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9TVCByZXF1ZXN0IHRvIC9hcGkvaW52aXRlL2dlbmVyYXRl | base64 -d

Will give us an output of:

Another clue
curl -X POST https://www.hackthebox.eu/api/invite/generate

Output of the command:

We get our invite code in a base64 encoding.

We repeat the steps we did before:

echo T0lRTFctRktGVVEtSlNPQ1ctSU1OS1ktUkRYVkk= | base64 -d
Finally invite code is presented to us!

Conclusions:

We were willing to sign up at the penetration testing platform HackTheBox. We were challenged to "hack" our way in. After examining the source code and the links attached to the portal we found obfuscated javascript. We decoded the code and found instructions on how to proceed with retrieving the code. The process involved making a POST request to links specified in the java code. In return we got base64 output, which we managed to decode with base64 -d. With enough persistence we found out our invite code.