How to get an Hackthebox Invite Code (Tips Only!)

I recently stumbled upon a very useful list of pentesting practice resources. Amongst them was Hackthebox. I have heard that name a couple of times recently and thought I’ll check it out. After reading a bit on their website I clicked the join button. Huh? Hack your way in? That certainly sounded interesting! I thought, “that will be easy for sure”. Oh boy, was I wrong. In this tutorial, I will show you how to get an Hackthebox Invite Code.

I have only a very little knowledge of Web Application Testing. I always neglected it a bit (until now). So to get an Hackthebox Invite Code actually turned out quite difficult for me, as I didn’t know Javascript or any Web Dev language really. What Hackthebox did for me by only trying to get an invite code was tremendous. It encouraged me to start learning Web Application Security. With that comes a lot of different things to learn like Programming languages, HTML, CSS, PHP and so on. Only their Invite process led me to a completely new and interesting path: Web Application Security.

But enough of that, that’s not what you’re here for.

READ THIS

No, really. Read this. I want to really encourage you to try this challenge by yourself. Make use of that thing sitting between your eyes. If you can’t solve a step on your own, don’t look up the solution immediately. Make a break, have a look at web app security basics. Look at it again tomorrow with a fresh mind.

I will write this tutorial in a fashion that gives you only Tips. You won’t find the solution here, I will just point you in the right direction. I feel like putting out the actual solution is defeating the purpose and it’s actually discouraged in the Hackthebox Ruleset, so I will follow.

If you are desperate for a solution, just go to another site, there are plenty providing it. If you really want to learn something, stick with me a little longer.

 

Step 1 / Tip 1 – Don’t Overthink

The first mistake I made was overthinking the process. I tried all kinds of different techniques that I know from my Information Gathering experience. That knowledge didn’t really include Web App Security, so I was struggling with how to get an Hackthebox invite code at first.

But as this is a Web Application, how high are the chances that you will find a hint hidden somewhere in the code on this simple invite page? You got that right, pretty damn high. If you use Firefox or Chrome for that matter and press F12, you will see a console popping up with all kinds of Web Development tools.

Doing this reveals the code on the invite page which looks like this:

How to get an Hackthebox Invite Code

 

I encourage you to go through all of the tabs and just get a feel for what you’re looking at here. Read the code a bit and maybe you recognize something that might be of interest. The Console Tab presents us with some solid advice:

How to get an Hackthebox Invite Code

 

Play with this a bit before heading to Step 2. Pay particular attention to the Inspector, Console, Debugger and Network tab.

Step 2 / Tip 2 – Dig Deeper

Now that you already have a direction set, maybe you already figured something out, looking at different tabs and the file names in the code. The Network tab logs action from the website. So, if you type anything in the invite code window and hit Sign Up, it will be shown there. I’d encourage you to have a short look at this.

If you have found any interesting looking file names in the code, you are on the right track.

Mini Spoiler 1 (No solution!)
You should have a closer look at the Debugger Tab and more specifically a very interesting looking inviteapi.min.js

After you have that figured out I would encourage you to google what .min.js means in javascript files. Why is there  a .min in front of the .js extension? Why does the code looks all scrambled? Research!

Mini Spoiler 2 (No solution!)
.min means minified. The Javascript Code was minified to basically reduce web loading times. You find this a lot on modern Websites. You can use a website like https://beautifier.io/ to “unminify” code and reveal it’s real form.
Mini Spoiler 3 (No solution!)
The un-minified Code looks like this: function verifyInviteCode(code) { var formData = { “code”: code }; $.ajax({ type: “POST”, dataType: “json”, data: formData, url: ‘/api/invite/verify’, success: function(response) { console.log(response) }, error: function(response) { console.log(response) } }) } function makeInviteCode() { $.ajax({ type: “POST”, dataType: “json”, url: ‘/api/invite/how/to/generate’, success: function(response) { console.log(response) }, error: function(response) { console.log(response) } }) }

 

 

Step 3 / Tip 3 – Looks like we got a trail!

Sherlock Holmes would be on fire right now.

If you made it this far on your own, great! You are on to something. Now I want you to figure out how to run java functions from your Chrome / Firefox Development console. Now to give a Tip on this without spoiling the solution will be a tough one. Really only look up the next spoiler if you are completely stuck and can’t figure out which code to run or how to run it within the console.

A hint is, you need to be on the Console Tab. Just start typing, something might pop up.

Mini Spoiler 4 (Hot Spoiler!)
You want to run the makeInviteCode function in the Development Console. Learn how to run a function in the console yourself! Always keep parenthesis in mind!

Analyze the Code once you got this far. By now, if you have any prior pentesting experience, you should recognize which direction this is going.

Mini Spoiler 5 (No Solution!)
There are two possible ways the encrypted key is presented to you. It’s either in BASE64 or in ROT13. Figure out how to decrypt this by yourself. It’s very easy.

Step 4 / Tip 4 – We are almost there

You are on the way to become a real hacker. After you have passed the challenge from Step 3, it’s time to look up the internet on how to make a POST request to a certain URL.

Put some effort in your search, it’s out there! Using Linux will help you to solve this step. Maybe hit up my Instagram Account and learn some Linux Basics!

Mini Spoiler 6 (No Solution!)
There are probably other ways to solve this, maybe straight out of the console, but I personally have used my Linux knowledge. Making POST requests before, CURL came to mind. Read this: https://gist.github.com/subfuzion/08c5d85437d5d4f00e58 You’ll figure it out yourself. I believe in you.

You almost hold the Sword Excalibur in your hands. I mean, the invite code.

Step 5 / Tip 5 – How to get an Hackthebox invite code

If you have managed to solve Step 4, the solving of Step 5 should be an easy one for you! You are represented with another code. If you cheated your way through until here, shame on you apprentice Hacker! Where is your spirit?

Mini Spoiler 7 (No Solution!)
Learn how to recognize Base64 encoded strings.

Conclusion

If you came that far, congratulations! You have earned yourself a medal. I mean, you learned how to get an Hackthebox invite code! For me personally, it was an awesome challenge and opened my eyes a bit. It also showed me where I’m lacking. I learned how to Brute Force Web Login Forms with Burpsuite. Yea, I tried that out of desperation. But at the same time, earned another valuable skill.

Those challenges are really made the way they are so that you practice your research skills, test and fail. And fail you will, often, all the time. Hacking is about failing. We constantly fail. But eventually, we pick up a new skill along the way that will help us in another scenario some day later.

Did you come on the solution yourself? Where did you get stuck? Let me know in the comments below!

Happy Hacking!

10 thoughts on “How to get an Hackthebox Invite Code (Tips Only!)

  • November 1, 2019 at 3:20 pm
    Permalink

    This was a very helpful walk through and thanks a lot. I had actually got as far as beautifying inviteapi.min.js file. But I didn’t know i could call the function with the console. But after I saw you hint, I was on my way. I used burp suit to decode the base64 encoded strings and send the POST request and I was done. I guess the moral of the story is not to give up to quickly, you could be so close, but if you give up its over. Thanks again friend.

    Reply
  • September 18, 2019 at 5:00 pm
    Permalink

    I really thank you for this guide, it enlighten me a lot, I learned it pushed me to research the things I didn’t knew and I finally managed to get to the end, I did not used CURL just worked my way directly at Chrome console and managed to get the encoded strings then decoded it and got the invitation by my self.!!! it took me 5 minutes but I learned so muuuuch in this time that I really want to say HUGE THANK YOU! this was the 1st in my life doing this and I can’t explain how I feel after doing it, but I can guarantee that this will be the 1st of many! THANK YOU AGAIN!

    Reply
    • September 20, 2019 at 11:45 am
      Permalink

      Hi there,

      thanks for the praise! I am happy you made it through the challenge. You can check out my Getting Started with Cybersecurity article if you want 🙂 Good luck!

      Reply
  • July 20, 2019 at 7:55 am
    Permalink

    Very frustrating experience using Windows to do this.

    I got to the POST request stage on my own, however as I did not have access to CURL I opted to make those requests using a web tool. Unfortunately that caused a conflict with the IP address hence I was stuck at that point. Your guide served merely as a sanity check. Switched to my Kali VM and completed the challenge through there. Wasted a few days on this…

    Reply
  • July 12, 2019 at 11:53 pm
    Permalink

    I also get an error code saying that “Your Ip address cannot use this invite code”

    Reply
  • June 16, 2019 at 2:23 pm
    Permalink

    Hi Friend,

    I tried to do Hack the box a while back and I really was stuck on what to do. I managed to investigate some of it but reached a complete standstill because I never knew how to progress further. Your guide wasn’t exactly hand-holding but it was a very good indication of where to go next. Thank you very much.

    Reply
    • June 18, 2019 at 12:58 pm
      Permalink

      Thanks! You are welcome!

      Reply
  • March 10, 2019 at 6:58 pm
    Permalink

    Hi, i do all the steps, have the code but after copy-paste its says “Your IP address cannot use this invite code”. Anyone have a solution for that? thanks and good wawltrough

    Reply
  • March 8, 2019 at 5:53 am
    Permalink

    Out of all the walkthroughs and Solutions I’ve read after “solving” the “HackTheBox invite process” challenge, I must say that yours was the most intuitive and detail-oriented write-up I read. Kudos, man. Big fan of the articles here.

    Reply
    • March 8, 2019 at 8:29 am
      Permalink

      Thank you John! Feedback like this is highly appreciated!

      Reply

Tell us what you think!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: