I recently stumbled upon a very useful list of pentesting practice resources. Amongst them was Hackthebox. I have heard that name a couple of times recently and thought I'll check it out. After reading a bit on their website I clicked the join button. Huh? Hack your way in? That certainly sounded interesting! I thought, "that will be easy for sure". Oh boy, was I wrong. In this tutorial, I will show you how to get an Hackthebox Invite Code.
But enough of that, that's not what you're here for.
No, really. Read this. I want to really encourage you to try this challenge by yourself. Make use of that thing sitting between your eyes. If you can't solve a step on your own, don't look up the solution immediately. Make a break, have a look at web app security basics. Look at it again tomorrow with a fresh mind.
I will write this tutorial in a fashion that gives you only Tips. You won't find the solution here, I will just point you in the right direction. I feel like putting out the actual solution is defeating the purpose and it's actually discouraged in the Hackthebox Ruleset, so I will follow.
If you are desperate for a solution, just go to another site, there are plenty providing it. If you really want to learn something, stick with me a little longer.
Step 1 / Tip 1 - Don't Overthink
The first mistake I made was overthinking the process. I tried all kinds of different techniques that I know from my Information Gathering experience. That knowledge didn't really include Web App Security, so I was struggling with how to get an Hackthebox invite code at first.
But as this is a Web Application, how high are the chances that you will find a hint hidden somewhere in the code on this simple invite page? You got that right, pretty damn high. If you use Firefox or Chrome for that matter and press F12, you will see a console popping up with all kinds of Web Development tools.
Doing this reveals the code on the invite page which looks like this:
I encourage you to go through all of the tabs and just get a feel for what you're looking at here. Read the code a bit and maybe you recognize something that might be of interest. The Console Tab presents us with some solid advice:
Play with this a bit before heading to Step 2. Pay particular attention to the Inspector, Console, Debugger and Network tab.
Step 2 / Tip 2 - Dig Deeper
Now that you already have a direction set, maybe you already figured something out, looking at different tabs and the file names in the code. The Network tab logs action from the website. So, if you type anything in the invite code window and hit Sign Up, it will be shown there. I'd encourage you to have a short look at this.
If you have found any interesting looking file names in the code, you are on the right track.
Step 3 / Tip 3 - Looks like we got a trail!
Sherlock Holmes would be on fire right now.
If you made it this far on your own, great! You are on to something. Now I want you to figure out how to run java functions from your Chrome / Firefox Development console. Now to give a Tip on this without spoiling the solution will be a tough one. Really only look up the next spoiler if you are completely stuck and can't figure out which code to run or how to run it within the console.
A hint is, you need to be on the Console Tab. Just start typing, something might pop up.
Analyze the Code once you got this far. By now, if you have any prior pentesting experience, you should recognize which direction this is going.
Step 4 / Tip 4 - We are almost there
You are on the way to become a real hacker. After you have passed the challenge from Step 3, it's time to look up the internet on how to make a POST request to a certain URL.
Put some effort in your search, it's out there! Using Linux will help you to solve this step. Maybe hit up my Instagram Account and learn some Linux Basics!
You almost hold the Sword Excalibur in your hands. I mean, the invite code.
Step 5 / Tip 5 - How to get an Hackthebox invite code
If you have managed to solve Step 4, the solving of Step 5 should be an easy one for you! You are represented with another code. If you cheated your way through until here, shame on you apprentice Hacker! Where is your spirit?
If you came that far, congratulations! You have earned yourself a medal. I mean, you learned how to get an Hackthebox invite code! For me personally, it was an awesome challenge and opened my eyes a bit. It also showed me where I'm lacking. I learned how to Brute Force Web Login Forms with Burpsuite. Yea, I tried that out of desperation. But at the same time, earned another valuable skill.
Those challenges are really made the way they are so that you practice your research skills, test and fail. And fail you will, often, all the time. Hacking is about failing. We constantly fail. But eventually, we pick up a new skill along the way that will help us in another scenario some day later.
Did you come on the solution yourself? Where did you get stuck? Let me know in the comments below!