Kwok with a Blog

The official blog belonging to Anthony Kwok

Get Access to HackTheBox

To all future pentesters out there, here is how to get access to one of the best resources in Offensive Security.

Note: I highly recommend you actually try to figure this out yourself before continuing to read this post. This "entrance exam" isn't terribly hard to figure out on your own even if you're a complete novice. I presume if you're reading this then you're at the point where you've failed a considerable amount of times and would like to figure out how to get the access code or you just like reading my blog. Keep in mind my way is not the only way.

What is Hack The Box?

It is an online platform to test your skills in penetration testing, offensive security, and cyber security. It contains hundreds of challenges that are constantly updated. Some of them are practical, real world scenarios whilst others lean towards a CTF, jeopardy style of challenge. The challenges range from the novice to the seasoned veteran so I recommend having a strong base in network or web security. If you're a seasoned CTF player, HackTheBox is also a good platform for you to test your skills. There is one catch, in order to get access to this platform, you have to "hack" your way in. There is an invite code that one must obtain that is unique to each individual. Basically, to get the access code, you need to pass a pretty easy Web CTF challenge.

So How Does One Get that Access Code?

HackTheBox Webpage

So this is the Website when you first visit the page. Here are the steps.

1. First, visit the Hack the Box forums to see how to get started for newbies.

2. If you try to sign up at HackTheBox, you will see that the page asks for an invite code.

3. Open developer tools by right clicking and selecting inspect element on the page. You can also press Ctrl+Shift+I in either Chrome or Firefox.

4. By inspecting the Elements of the webpage, we can see the page is loading a script called /js/inviteapi.min.js.

HackTheBox Sign Up page

5. So if you go to https://www.hackthebox.eu/js/inviteapi.min.js, you will see a Javascript file like this.

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}',24,24,'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'),0,{}))

6. I've highlighted makeInviteCode since it looks promising. Let's go back to the invite page to see what it does.

7. On the invite page, go to the console tab in Developer tools (Ctrl+Shift+I) and type makeInviteCode() and press ENTER. You will get a response with a 200 Success status code and data as shown below.

HackTheBox Make Invite Code Data

8. As seen in the image, the encoding is in Base64, so let's decode the this message by going to a Base64 Decryptor. I used https://www.base64decode.org/

9. Paste the copied text into the decoder as shown below.

HackTheBox Make Invite Code Base64

10. Thus in order to get the invite code, we need to make a POST request to https://www.hackthebox.eu/api/invite/generate.

11. Fire up the terminal of your choice and make a POST request using curl by typing

curl -XPOST https://www.hackthebox.eu/api/invite/generate
12. You will get a success message that looks something like this.

{"success":1,"data":{"code":"somerandombase64characters=","format":"encoded"},"0":200}
13. As you can see, we have another Base64 encoded string. So run that by https://www.base64decode.org/ again.

14. Paste in the code that you got as the response of the POST request in Step 11. Tadah! You get your invite code.

15. Now go back to https://www.hackthebox.eu/invite and paste in the result in Step 14.

16. Now you can proceed to normal sign up and get access to all the Virtual Machines and challenges Hack The Box has to offer.

I hope this has helped. Please share this with anyone who is interested in in hacking or cyber security.
Happy Hacking