Box: TwoMillion

Level: Easy

OS: Linux

---

Lets get started

Recon

PortScanning

command:sudo nmap -A 10.129.229.66 -v -p- -T4

From our nmap scan we have 2 open ports, port 22 which runs the ssh service and port 80 which runs the http service. Our enumeration today will be focused on port 80

Enumeration

Navigate to the webpage

Lets add that domain name to our /etc/hosts file and then navigate back there

nice

When we try to join HTB, we get this

So we are to supply an invite code, would have said we should bruteforce this, but truth is we don’t know the length of the code.

Checking the page source

That is the javascript file loaded by the /invite page that has to do with invite codes

Lets check the content of that file

From the above screenshot you can see the javascript function makeInviteCode

What we’ll do now is go back to the /invite dir, then try to execute this javascript function using the developer tool console

We got something that looks like a rot13 cipher, lets decode this using cyberchef

So, to generate the invite code we have to make a post request to /api/v1/invite/generate

Lets capure this request using burpsuite and send it over to burp repeater