Hack the box - getting invited

, , ,

“A journey of a thousand miles begins with a single step” - Loazi

Alrighty, so I recently got encouraged to join hackthebox.eu because of my love for breaking stuff and mischief. It all starts with having to ‘hack’ your way in. This shouldn’t be too hard, right? This post is somewhat of a journal on how I approached this, and is for documentation purposes only. Figuring things out is the fun - so if you’re not on there yet, go figure it out for yourself!

The approach

When I clicked ‘join’ on the website, I got this quirky little screen.

hi

Alright, time to open up the network tab - and see if we can find something interesting. I dwelled a bit on the minimized frontend javascript before realizing it says there’s an ‘invite api’ file right there.

Upon opening that in the dev console, it quickly became apparent that it was packed. Packing is a way of minimizing the size of your javascript files, and is used all over the internet.

packed js in devtools

A quick google search for ‘javascript unpacker’ revealed a couple of unpackers. I clicked the one that seemed to be the most appealing, and found that the API consists of two function calls. Both of which send empty POST requests to an endpoint, it seems.

So let’s do exactly that…

curling the first endpoint

Aha, interesting! The JSON says "enctype": "ROT13". A fun little joke by the devs there, as ROT13 is merely a letter substitution cipher and by itself is very easy to ‘crack’.

It works like this; The first letter, A, is usually the first letter in the alphabet and Z is the 26th letter. In ROT13, ‘A’ is shifted 13 places to the right, becoming an ‘N’. The last thirteen letters of the alphabet wrap around and become the beginning of the alphabet. So to decrypt this message, we just look up every letter.

Or not, and we just google ‘ROT13 decoder’ and throw the message into that decoder. The decoded message tells me to ‘call the other endpoint’. So we do what the message says and..

invite response encoded

We get this little gem of a response back. This time it just says ‘encoded’. As I’m a developer, I think I recognize the trailing = as padding for the base64 algorithm, and so I copy it into my google chrome console and run atob() on the string.

an invite code

And voila, I have an invite code.

This was fun! And even though it just took me about 10 minutes to walk through all this, it was worth it. I love these kind of puzzles. Now, on to the next one!