JustForFun
  • Hello World
  • AI/ML/LLM Security
    • 🐣What is this AREA?
    • 📚Self-Study AI/ML/LLM Roadmap for Security Folks
    • 🌟AI/ML Dictionary
    • 🌰Generative AI in a Nutshell
    • 👹(WIP) AI/ML/LLM Application Security Testing
      • 💉(WIP) Offensive Approach for Prompt Injection Attacks
      • 👾Standard Input: Prompt Injection
      • ⚠️(WIP) Training Issues
      • 🎑(WIP) Multi-Modal LLM Application Security Testing
      • ✨(WIP) Resources
  • Random Research Area
    • What is this AREA?
    • Phishing with MS Office Docs
      • VSTO and Malicious Office Docs
    • Malware Analysis & Development
      • Malware Development
  • AppSecNotes
    • 3rd Party Recon with Javascript - Part1
    • DAV Methods and Old Features
    • API Security Notes
  • OSEP Preperation Notes
    • OSEP Journey Begin!
    • Basics and More
    • Payload Types (Staged vs. Non-Staged)
    • File Smuggling with HTML & JS
    • VBA Basics
    • Basic Phishing Macro Creation Tricks
  • Somethings and Past
    • HackTheBox Lab – Invite Code Write-Up
    • OSCP Yolculuğum
    • VulnHub – SkyTower CTF Walkthrough
    • Markdown Syntax
    • Web Uygulama Güvenliği Ve Güvenli Kod Geliştirme LYK-2014 Notlarım
    • Yalnızca Eğlenmek İçin
Powered by GitBook
On this page

Was this helpful?

  1. Somethings and Past

HackTheBox Lab – Invite Code Write-Up

PreviousBasic Phishing Macro Creation TricksNextOSCP Yolculuğum

Last updated 5 years ago

Was this helpful?

A friend showed me . I have just started solving the HTB Lab. And I will share the solvings step by step. The Lab has 20 machines that Linux and Windows. The registration that I had the most fun ever seen until now.

I will explain first challange: invite code.

First, you should invite yourself.

Actually, there is no one who sending the invite code. You should invite yourself. Search for inviting.

I found a hint in the javascript console. A skull was waiting me.

I was review the js files. Specially /js/inviteapi.min.js

  1. I typed this function name in console. And SUPRISE!

I decoded the data by base64.

  1. I prepared a POST request to /api/invite/generate.

I found a new code in JSON Response.

I decoded the new code by base64.

Shall we begin! To be continued.

-EOF-

July 5 2017

this lab