Hack The Box - How to hack in to the game ;)

-


Firs of all lets see what is the Hack The Box  😎😎😎

"Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.
As an individual, you can complete a simple challenge to prove your skills and then create an account, allowing you to connect to Hack The Box's private network (HTB Labs) where several machines await for you to hack them. By hacking machines you get points that help you advance in the Hall of Fame."

when you go down the page you will be ask to click a button to join the HTB, go ahead and click it this is the first step to get invite code

after you click it you will be end up a page like this asking an invite code which you wont have.


don't get confused , lets find that invite code , all we got is this page. lets inspect elements  of this web page by 
        1) right click -> inspect
        2) f12 on chrome and firefox

by looking at to these elements in this web page you will see a javascript named js/inviteapi.min.js  looks malicious on the page. lets go to that.



you will have the js file like this


can you see the function named makeInviteCode it looks pretty malicious to me lets try that function in the invite web page.
go to the invite page and in the console try to run command : makeInviteCode() lets see what will happen.....😉


of its executed 😎😎
lets see what was generated by the function by examining the body  of the content.
ooh what is this. you got some encoded data in the body with encoded mechanism used. this look interesting 🤷🤷 🤷

  lest decode the data using online tool and lest see hat is this.
i fount some decoder online and i used it to decode may data then i got this.

it says the you need to make post request to https://www.hackthebox.eu/api/invite/generate for generate the invite code. lets do it then 😎😎😎

fire-up the terminal and type curl -XPOST https://www.hackthebox.eu/api/invite/generate  then it will result success response with some data

it has data named code but it says data is encoded. 😒😒.
No worries lets try the base64 decoder to decode data .

yes ! it got some results actually looks like an invite code 😍😍

lets try the code on the web portal to signup.

woow its actually worked now you can simply register to the HTB and keep Hacking Stuff.

now 1) fill the info
        2) Register to HTB
 then...........

Happy Hacking !


Comments

Post a Comment

Popular posts from this blog

implement CSRF protection - Synchronizer token pattern

-
Image
what is synchronizer token pattern ?  as above figure, first client browser request login page and log in to the system. same time server generates CSRF token and store it on server side. next time user interact with the server, user ask server to send CSRF token with AJAX and user submit data along with CSRF token.  so server can verify this request came from legitimate user by comparing CSRF token received and own. How to implement ? In this web app there are 3 files  client side -> index.html  server side -> login.php                         sever.php step 1 - login UI     you need to model simple its index.html this is the main page of the app. this is my index.html step 2 -  when user click log in data will send to server side (login.php) and authenticate user.  then only if user authenticated client browser will create a new cookie with current session id and relevant information. step 3 -  same time sever will be genera
Read more

Jaggery From WSO2

-
Image
Lets See what is jaggery .. Jaggery is a framework developed by WSO2, to write web apps and HTTP-focused web services for all aspects of the application: front-end, communication, Server-side logic and persistence in pure Javascript. One of the intents of this framework is to reduce the gap between writing web apps and web services. Importantly, Jaggery is open-source and released under Apache 2.0. As a pure Javascript server-side scripting engine, Jaggery combines all the strengths of Javascript with flexibility and freedom at both the development and deployment stages. Most JavaScript webapp development mechanisms restrict developers to a framework-specific structure or patterns, which demand an additional learning curve. By contrast, with Jaggery, any developers who are versed in Javascript have everything they need to get going.  you can download and try the language from the visiting Jaggery website. so lets download and try it... visit the jaggery we
Read more