Hack the Box - Invite

Yet another CTF site, starting off with hacking the invite code

I stumbled across yet another CTF / pentesting site that looked interesting and got to work. The very first challenge is to "hack" the invite process. Seems like you can acquire an invitation code rather easily.

Looking at the javascript included in the invite page reveals this:

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]|c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}',24,24,'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'),0,{}))

Which, with a little reformatting, looks like this:

eval(
    function(p,a,c,k,e,d) {
        e = function(c) {
            return c.toString(36)
        };
        if (!''.replace(/^/,String)) {
            while (c--) {
                d[c.toString(a)] = k[c] | c.toString(a)
            }
            k = [function(e) {
                return d[e]
            }];
            e = function() {
                return'\\w+'
            };
            c=1
        };
        while (c--) {
            if (k[c]) {
                p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
            }
        }
        return p
    }('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}',24,24,'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'),0,{}))

Which, when executed, generates:

"function verifyInviteCode(code){var formData={"code":code};$.ajax({type:"POST",dataType:"json",data:formData,url:'/api/invite/verify',success:function(response){console.log(response)},error:function(response){console.log(response)}})}function makeInviteCode(){$.ajax({type:"POST",dataType:"json",url:'/api/invite/how/to/generate',success:function(response){console.log(response)},error:function(response){console.log(response)}})}"

Cleaned up is:

function verifyInviteCode(code) {
    var formData = {
        "code":code
    };
    $.ajax({
        type:"POST",
        dataType:"json",
        data:formData,
        url:'/api/invite/verify',
        success: function (response) {
            console.log(response)
        },
        error: function (response) {
            console.log(response)
        }
    })
}
function makeInviteCode() {
    $.ajax({
        type:"POST",
        dataType:"json",
        url:'/api/invite/how/to/generate',
        success: function (response) {
            console.log(response)
        },
        error: function (response) {
            console.log(response)
        }
    })
}

Ok, so it looks like makeInviteCode should do something interesting:

{
    "success":1,
    "data": {
        "data":"SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9TVCByZXF1ZXN0IHRvIC9hcGkvaW52aXRlL2dlbmVyYXRl",
        "enctype":"BASE64"
    },
    "0":200
}

Base64 decoding shows "In order to generate the invite code, make a POST request to /api/invite/generate". Alright, easy enough. Making the call gets us an encoded invite code ;)

{
    "success":1,
    "data": {
        "code":"ABCDEFGHIJKLMNOP12345=",
        "format":"encoded"
    },
    "0":200
}

(I've changed the result here, generate your own invite code!)