How to approach it ?
Hackthebox.eu doesn’t allow you to register. The only way to sign up is by having an insider to provide you with an invite code or hack your way in.
I don’t have someone to provide me an invite code so I have to hack me way in.
I start off by analyzing the source code of the Invite Code form, where I find an interesting javascript inviteapi.min.js
I see that the file makes an interesting post request makeInviteCode()
I run it on the console of inspect elements, and I was able to pull up some interesting data:
There is a string encoded on base64. By doing a google search of base64 to text, I end up at https://www.base64decode.org/ and was able to decode the string:
Base64:
“SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9TVCByZXF1ZXN0IHRvIC
9hcGkvaW52aXRlL2dlbmVyYXRl”
Text:
In order to generate the invite code, make a POST request to /api/invite/generate
That is great news. Now I need to send a POST request in order to generate an invite code.
On Firefox browser, I used the pentest add-on called hack bar to execute the post request.
As the following shows I got an error message: “Whoops something went wrong”
Now I do the post request:
Where we get the invite key but is encoded in base64:
TlRIRUYtT1dVWFktWkFCRlMtS1BTTlctQlBZWEc=
Solution | Invite Code
Again I used the website to decode and get the following result.
NTHEF-OWUXY-ZABFS-KPSNW-BPYXG
And Uala, I’m in. Now I can finally register 😉
Tip: After filling out the form don’t look for a submit button, just hit ENTER
thanks so much man.. this was a great help 🙂
Glad that it helped 🙂
Thanks for the explanation, I feel like a noob. lol My JS skills are mad weak, comming from a straight Python background =/ Can you explain to me how you initially were able to tell that theres post request to the function “makeInviteCode”? … My first instinct was to use inspector, I opened up ‘.*inviteapi.*’ , so from that point of the proccess, how would you explain it to a noob (me) how you ascertained the request ? like some deobs?
I am no expert either, but the function is served in a silver platter in plain English. What else could “makeInviteCode” do? I ran it, and I got a base 64 code. That simple 🙂
Hi there,
First of all, thanks for your post which would be helpful. However, in my case, this did not work and invite code which has been decoded was mentioned as an invalid one.
Maybe am I missing some point from your post?
You will need to follow thought the steps and generate your own invite code as the way it works, is IP-based only. The code I posted here will not work for you.
I keep getting error that “Your IP address can not use this code”. I tried it on home network,company network even on my mobile network but getting same error. If i am entering any other code it says code is not right means i have generated right code when i get error””Your IP address can not use this code”. Steps provided by you are very easy and i am not doing any mistake 🙂 . Please suggest …
If you generate your own IP based code, you should not get that error message. Let me know your results.
Thanks!
https://www.hackthebox.eu/api/invite/generate
i want to get the invite code
Thanks!!
not happening
Hi,
I just wanted clarification on this please.
When you said ‘makeinvitecode’ you stated the next step was
‘I run it on the console of inspect elements, and I was able to pull up some interesting data:’
What did you mean by run it on the console of inspect elements? I am new and may be misunderstanding this.
Thank you
Thank you for your comment and sorry for my late reply.
I performed the hack using Google Chrome Browser.
When you open the page https://www.hackthebox.eu/invite and right click on top of the “Invite Code” box, you will see that on the right side, the developers menu will open, with the tabs on top “Elements”, “Console”, “Sources”, etc.
Click on the “Console” tab and on the bottom you will see the cursor sign “>”, there you will type “makeInviteCode()”, and hit “Enter”.
You will get a “200, Success ” message. Drop down the arrow and you will see the base 64 data string there.
Let me know if it worked for you.
Wow! This is great. I need to study hard. I feel dumb. Thanks for this
Thanx
When i register it shows me The g-recaptcha-response field is required. how can i bypass that?
since there is no field of recaptcha.
Thank you
That’s because it has a re-captcha. You will need to do the captcha as well.
Bypassing the captcha is not part of the challenge.
The problem is that some of you are using two different IP addresses. That is all I am going to tell you. You need to figure out how you are using two different IPs, and why it matters.
hello everyone thanks for approve
hi 🙂 bross 🙂
It’s 2020, and I need to get the invite code. How do I do that? It changes every week, right? Do I do the smae thing?
hi guys :). I am looking for help for me and my girl. i am from France
Did the tutorial work for you? Where are you stuck and need help?
I’m new in learning hacking or pentesting. When I open invite code box for login then i write script in place of invite code and my ip blocked. Now I want to join my console giving error for null and cookies blocked me. How can i join now and how my ip will be unblock?
Kindly help me. Thanks
Hi Nazeer,
Thank you for your comment. You need to go to Invite Endpoint and then open inspect elements and enter
makeInviteCode()
, drop down and decode the base64 code.Hope it helps.
TIP:You can skip this part and jump directly to the part where you send a post request to
/api/invite/generate
endpoint