How to Hack ‘Hack the Box’

The ‘Hack the Box’ is a famous penetration testing platform that is being used by cybersecurity professionals and practitioners all around the globe. It contains a set of vulnerable machines that can be used to boost your cybersecurity skills.

Ok. Shall we start to use it?

No! We cannot just go to the site and start using it.

You have to take the Invite Challenge first and hack your way in to get the invitation code. Here is the link.

So where do we start?

Let’s start by analyzing source codes. Just right click on the page and go to ‘Inspect’ (or simply press Ctrl+Shift+I)

It seems like there is a set of javascript files available in the js folder.

<script src="https://www.hackthebox.eu/js/htb-frontend.min.js"></script>
<script defer src="/js/inviteapi.min.js"></script>
<script defer src="https://www.hackthebox.eu/js/calm.js"></script>

Let’s check the first one ‘htb-frontend.min.js’.

Hmm… Just a bunch of codes. Still no luck.

Let’s move to the next one ‘inviteapi.min.js’.

That’s interesting. We have got a couple of clues to move forward.

eval(function(p, a, c, k, e, d) {
    e = function(c) {
        return c.toString(36)
    }
    ;
    if (!''.replace(/^/, String)) {
        while (c--) {
            d[c.toString(a)] = k[c] || c.toString(a)
        }
        k = [function(e) {
            return d[e]
        }
        ];
        e = function() {
            return '\\w+'
        }
        ;
        c = 1
    }
    ;while (c--) {
        if (k[c]) {
            p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c])
        }
    }
    return p
}('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}', 24, 24, 'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'), 0, {}))

It seems like there are some runnable functions such as ‘verifyInviteCode’, ‘makeInviteCode’ and etc. We might be able to get results by one of these. Let’s first check the implementation of the most convincing function ‘makeInviteCode’

How are we going to do that?

Just open the ‘Console’ tab of the ‘Inspect’ view and type the function name ‘makeInviteCode’.

What the hell is that Skull image?

Anyway, it seems like we have got the js file content which includes the ‘makeInviteCode’ function.

function verifyInviteCode(code) {
    var formData = {
        "code": code
    };
    $.ajax({
        type: "POST",
        dataType: "json",
        data: formData,
        url: '/api/invite/verify',
        success: function(response) {
            console.log(response)
        },
        error: function(response) {
            console.log(response)
        }
    })
}
function makeInviteCode() {
    $.ajax({
        type: "POST",
        dataType: "json",
        url: '/api/invite/how/to/generate',
        success: function(response) {
            console.log(response)
        },
        error: function(response) {
            console.log(response)
        }
    })
}

This shows that the ‘makeInviteCode’ has been implemented to send a POST request to the HTTP path ‘/api/invite/how/to/generate’. So let’s curl it and check whether we are lucky to get something.

curl -X POST https://www.hackthebox.eu/api/invite/how/to/generate

This gave the following result:

{"success":1,"data":{"data":"Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb \/ncv\/vaivgr\/trarengr","enctype":"ROT13"},"0":200}

It seems like the value of ‘data’ has been encrypted using ‘ROT13’ algorithm.

Let’s decrypt the result by using an online tool such as ‘CyberChef’. The ‘CyberChef’ is a commonly used platform for encoding/decoding purposes and more importantly, it facilitates many algorithms. You can just search for ‘ROT13’, drag and drop it the ‘Recipe’ section, and give the encrypted value to the ‘Input’ section. You will get the decoded result in the ‘Output’ section.

In order to generate the invite code, make a POST request to \/api\/invite\/generate

Ok. Fine. Now we have to make another API call.

As a side note, please be noted that even though I got ‘ROT13’ above, there is a possibility that you will get a different algorithm. In that case, you have to use the corresponding decoder. When I ran the same ‘curl’ command for the 2nd time I got the result encoded in ‘Base64’ instead of ‘ROT13’.

Ok, where did we stop?

Yeah. Now we have to call ‘api/invite/generate’.

Here is the curl:

curl -X POST https://www.hackthebox.eu/api/invite/generate

and here is the result:

{"success":1,"data":{"code":"V1NHSU0tQkdFUVctUkdFVUYtUlFVV0gtWkZJWUY=","format":"encoded"},"0":200}

Simple as that!

Now we have another encoded result ‘V1NHSU0tQkdFUVctUkdFVUYtUlFVV0gtWkZJWUY=’.

It looks like a Base64 encoded value.

How did I guess that?

I have seen in many cases, Base64 encoded data end with one or two ‘=’ signs which are collectively called the ‘tail’. In Base32, this tail is longer than in Base64.

You can still use ‘CyberChef’ for this. Just drag and drop the ‘From Base64’, give the input value.

Here’s the output value I got.

WSGIM-BGEQW-RGEUF-RQUWH-ZFIYF

We have DONE it.

Now we have our invitation code. You can simply go to the invite page, and submit the invitation code which we just got.

THAT’S IT. WE ARE IN.

Now you can create an account and login using it.

Here you have a bunch of vulnerable machines, CTF challenges and many other tasks to heighten your skills. Just explore the site and do whatever you want.

Happy Hacking.