打开网站 Join Now

www.hackthebox.eu

获取邀请码

打开控制台

WX20200623-103650@2x

WX20200623-103829@2x
根据提示获得信息,当前页面存在一个有趣的js文件,找到它获取下一步信息

查看网站的js文件内容

WX20200623-104246@2x
发现inviteapi.min.js,从名字可了解到该js为邀请接口相关的,获取内容为

//This javascript code looks strange...is it obfuscated???

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0 3(){$.4({5:"6",7:"8",9:\'/b/c/d/e/f\',g:0(a){1.2(a)},h:0(a){1.2(a)}})}',18,18,'function|console|log|makeInviteCode|ajax|type|POST|dataType|json|url||api|invite|how|to|generate|success|error'.split('|'),0,{}))

解读js内容,获取信息如下

  • 这个js代码看起来比较特殊
  • eval,即执行这些代码
  • 拆解上面的代码,获取方法体,及参数
  • 方法体
function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}
  • 参数
('0 3(){$.4({5:"6",7:"8",9:\'/b/c/d/e/f\',g:0(a){1.2(a)},h:0(a){1.2(a)}})}',18,18,'function|console|log|makeInviteCode|ajax|type|POST|dataType|json|url||api|invite|how|to|generate|success|error'.split('|'),0,{})

在控制台执行js

  • 声明function
function test(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}
  • 执行function
test('0 3(){$.4({5:"6",7:"8",9:\'/b/c/d/e/f\',g:0(a){1.2(a)},h:0(a){1.2(a)}})}',18,18,'function|console|log|makeInviteCode|ajax|type|POST|dataType|json|url||api|invite|how|to|generate|success|error'.split('|'),0,{})

WX20200623-104953@2x

调用api获取如何生成邀请码

$ curl -X POST https://www.hackthebox.eu//api/invite/how/to/generate
{"success":1,"data":{"data":"SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9TVCByZXF1ZXN0IHRvIC9hcGkvaW52aXRlL2dlbmVyYXRl","enctype":"BASE64"},"hint":"Data is encrypted \u2026 We should probably check the encryption type in order to decrypt it\u2026","0":200}
  • 将上述data通过base64解密,获取以下信息
In order to generate the invite code, make a POST request to /api/invite/generate

获取邀请码

$ curl -X POST https://www.hackthebox.eu/api/invite/generate
{"success":1,"data":{"code":"R0pFQUUtRlFMU1ctTENUQVAtUEpMT1otUVdCU1U=","format":"encoded"},"0":200}
  • 将上述code通过base64解密,获得邀请码
GJEAE-FQLSW-LCTAP-PJLOZ-QWBSU