CYBER & INFOSEC

"blogger, InfoSec specialist, super hero ... and all round good guy" 

DISCUSSIONS, CONCEPTS & TECHNOLOGIES FOR THE WORLD OF

JOIN THE DISCUSSION

Expanding Cybersecurity Skills with Hack The Box

There are several ways to either assess your current hacking skills or increase your prowess. Capture the Flag (CTF) programs are a way of gamifying cybersecurity skills within a fun, interactive, and challenging delivery platform. One of my favorite free, public cybersecurity sites is Hack The Box: https://www.hackthebox.eu/

According to their website, Hack The Box is“…an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated. Some of them simulating real-world scenarios and some of them leaning more towards a CTF style of challenge.”To gain access to Hack The Box you have to find the first flag, which is the invite code. This blog article will show you to do that. Before we start I want to stress three important things:


If you cannot do this on your own, take some time to learn the skills presented in this walkthrough. It is improbable you will find the website and program useful without having some basic skills, such as being able to get the invite code.

There are many ways to skin the poor proverbial cat. Simply put, there could be more than one method to solve a particular challenge and you should certainly try different approaches.


Lastly (and probably most importantly), many of you might consider this walkthrough a form of serious cheating. Regardless of your opinion, I do somewhat agree that there is a sense of pride and value in successfully figuring things out on your own.

Here are the basic steps to get started. Spoiler alert – this will tell you how to get the access code to enter to more challenging puzzles.


Step 1: Navigate to the invite page.

This is where you will be asked for an invite code:

Step 2: Analyze the site source code.


I am using Firefox Continuum 62.0, but you should be able to accomplish viewing the source from any web browser. The simplest method is to right-click on the webpage and select Inspect Element.

Step 3: Find the javascript function to generate the invite code.


If you examine the webpage, you will find a javascript file called js/inviteapi.min.js

You will probably want to read this file, and you can do so by adding it to the end of the primary website. By doing so you will create the following


URL:

https://www.hackthebox.eu/js/inviteapi.min.js

You will then see something similar to the image below in your web browser.

That is a little difficult for me to read, so I am going to use a site such as Online JavaScript Beautifier (https://beautifier.io/) to make the code a little more readable. To accomplish this I will:


Navigate to the beautifier.

Copy and paste the code.

Select Beautify JavaScript or HTML button.


I can now see two functions:

Step 4: Running JavaScript function with POST.


I am interested in running the second function since it is making the invite. Notice there is a specific URL embedded in the lines of code. We could use this as we did earlier.


However, also notice the type is POST, which means we will need to do a post result to see the output.

There are a few ways to accomplish this. I usually will use curl with the -XPOST command:

We see a value returned in the data field, but we also see that it is Base64 encoded. We will need to decode this.

Step 5: Decode using Base64.


A simple web search for a Base64 decoder will pull up quite a few sites. The online decoder I use is:https://www.base64decode.org/

Step 6: Obtain the invite code.


The last step is basically a repeat of the previous step. We will once again use curl XPOST to generate a post request to the site using the new URL we got from our previous step:

The output is a code, and more than likely contains our invite code. At this point we have one last problem.We can see the format is encoded. Unfortunately, the output does not tell us how it is encoded like it did in the prior step.


There are a few tools online that will try multiple decoding methods at the same time. I usually use the decoder in Burp proxy. However, I first want to try Base64 again to see what happens.

SUCCESS! Congratulations, you now have the invite code.

From here you can continue through a variety of challenges, testing your hacking abilities. The approach of learning through this method is both good and bad.


Good if you understand where the clues are taking you, but bad if you have no idea and get frustrated. The main thing is to not simply know the answers but to try expand your knowledge by exploring potential solutions and following trails.


If all else fails, find another person or group that is interested in solving the puzzles and join forces. The idea is to learn and hone your skills.

Happy hunting!

SOCIALS 

SUBSCRIBE 

 Keeping you informed | Latest News 

© 2018 Dr. Chaos 

doctorchaos.com and drchaos.com is a blog dedicated to Cyber Counter Intelligence and Cybersecurity technologies. The posts will be a discussion of concepts and technologies that make up emerging threats and techniques related to Cyber Defense. Sometimes we get a little off-topic. Articles are gathered or written by cyber security professionals, leading OEMs, and enthusiasts from all over the world to bring an in-depth, real-world, look at Cyber Security. About this blog doctorchaos.com and drchaos.com and any affiliate website does not represent or endorse the accuracy or reliability of any information’s, content or advertisements contained on, distributed through, or linked, downloaded or accessed from any of the services contained on this website, nor the quality of any products, information’s or any other material displayed, purchased, or obtained by you as a result of an advertisement or any other information’s or offer in or in connection with the services herein. Everything on this blog is based on personal opinion and should be interoperated as such. Contact Info If you would like to contact this blog, you may do so by emailing ALAKHANI(AT)YMAIL(DOT)COM