Hacking into Hack The Box
Hack The Box is an online penetration testing platform where users can practice their hacking abilities and test their cybersecurity knowledge. What’s interesting is that in order to sign up to the site in the first place, you need to hack your way in. In this post, I’ll be showing how I managed to get in and what my thought process was along the way.
2022-12-10 Update: I noticed that hackthebox no longer requires users to solve a puzzle to register, so this post no longer applies :(
To sign up to the site, I was redirected to https://www.hackthebox.eu/invite. There is a single field that prompts for an invite code. Other than that, there are no clues on the surface.
Just looking at the names of the functions confirmed to me that I was on the right path. Since I needed an invite code, I decided to run
makeInviteCode() first in my browser’s console and got this JSON in return:
data clearly looks like encrypted text. And we even get the
enctype telling us what form of encryption was used: ROT 13. Once again, I opened up a new browser tab and searched for “ROT 13 decrypt”. I chose this website
Using the tool, I decrypted the string and got the result: “In order to generate the invite code, make a POST request to /api/invite/”
Now, to make a
POST request to
https://hackthebox.eu/api/invite/ I used HTTPie. It was as easy as running the following:
And I got the following JSON response:
The code appears to be encoded. Based on previous experience, encoded strings that end with a
= are generally encoded in base64. I could be wrong, but I decided to try decoding it as a base64 string anyway:
That looked like a code to me. I tried it on the form, and sure enough it worked! I was in.
It was a lot of fun trying to figure this out. That was the easiest part though. Next, I’ll try to root some actual machines in Hack The Box’s pentesting labs.