
HackTheBox.eu is a practice website for penetration testers and hackers. It contains machines which are vulnerable. To register for this website, we need to penetrate its database to generate an invite code for ourselves.
Here I will show you how to forge and enumerate the JS elements and generate invite code to register.
1. Visit hackthebox.eu
Click on join now in the top right corner to initiate registration.
2. You’ll get this page. Right click anywhere on the webpage and click on inspect element.
3. An inspector tab will open. If you observe carefully, you’ll notice that functions have been named casually, for eg. the “/js/inviteapi.min.js” would probably route us to something which is related to the invite code. Open the same link (/js/inviteapi.min.js) in a new tab:
4. You’ll see that the webpage is purposely made so as to make the testing more interesting. Here if you search the term “invcode” you’ll see that a term “makeinvitecode” is obfuscated (anonymously injected) in the script. This is our key to the invite code.
5. Navigate back to the home page. Keep the inspector tab open. Now as observed, the argument in the router page has to be a function for invite code. So, Inside the console tab, type “makeInviteCode()” and hit enter. You’ll get a message like this:
6. You see that it returns some data which is encrypted, thereby implying that whenever any argument is parsed through that function, it will always return some data in an encrypted format.
In this we see that inside data{} there is some encrypted text, also at the end “enctype: “ROT13” is specified. So we have the encryption type. Remember, we are getting this data since the function “makeInviteCode” is called into a persistent storage. Websites or web applications store user input and later serves it to other users, which is a persistent storage. An application is vulnerable if it does not validate user input before storing content and embedding it into HTML response pages. Subsequently we can perform either CSRF or XSS attack on it. This is a known vulnerability in this domain.
7. Next, fire up your terminal (preferably Linux). We have the data and its encryption type. So enter the following command to decrypt the text you’ve got.
echo “Encrypted text returned” | tr ‘n-za-mN-ZA-M’ ‘a-zA-Z’
Here tr stands for translate, and the text after that is the standard format used to decrypt ROT13 text.
8. You can see the decrypted message. It is asking to make a POST request to the HTB access point in order to generate the invite code. A small introduction before continuing: