Hack The Box
Hack The Box is a website that gives people a great place to test their penetration testing (hacking) skills. They have a selection of different machines available that are vulnerable to different types of attacks. This site uses the capture the flag scoring mechanism, where you hack machines, get a "flag" from them, and submit it to their site for points.
In this article, I'll cover how to make an account on HTB.
Beginning
To begin on this challenge, we need to go to their website, hackthebox.eu, scroll down, and hit "join". This brings us to a page that requires an "invite code" to register, as seen below.
As a note, although this site requires an invite code, nobody will give you one. You're supposed to hack your way in.
The Chrome Developer Tools
Although most people have seen the Chrome Developer Tools by accident, many people have no clue what it is, or what can be done with them. The first challenge of this site, registering an account requires using it.
Let's get started by opening it up. To do this, you can either press F12
on the website (this works on all websites), or you can right click on something on the site, and click Inspect
.
Opening these tools will open a sidebar that looks like this.
This sidebar will allow us to look into all the stuff on the website, and allow us to interact with the webpage through the JavaScript console on the bottom right.
Using Chrome Developer Tools
To get started with the DevTools, we're going to switch to the "Sources" tab at the top. This will show us a list of all files that the website requires, sorted by domain. We're only going to look into the files served by www.hackthebox.eu
, so we'll expand that dropdown. We see that there's a js
folder, which should contain all of the JavaScript files served by the site, and click on inviteapi.min.js
.
By clicking on a file in this list, we'll view the contents of it, which can be useful for figuring out how it works.
Unfortunately, I'm seeing it start with eval(function(p,a,c,k,e,d)
, which means that the actual readable code has been "obfuscated", which just means hidden.
We need to get around this to find out how this script works. To do this, we're going to click on the curly braces button on the bottom left of the code box ({}
), which will format it to be a bit easier to deal with.
Notice that near the end, there's a line that says return p
. This means that this obfuscated code will unhide some of the hidden aspects of it, and return the unhidden parts.
This is likely going to return some functions that we need, so we have to find out what p
is.
Finding `p`
To do this, we will click on the line number next to return p
, and the line number will be marked with a flag. This flag is a "breakpoint", meaning that we'll let the code run normally, and when we get to this breakpoint, the program should pause and wait until we tell it to continue. This will allow us to look into what all of the variables are in the code, which should allow us to see the value of p
.
We'll hit refresh, and Chrome should stop on a screen that says Paused in debugger
, and the DevTools will look like this:
Notice that on the Scope
section, there is now data filling it. This Scope
section allows us to look at all the variables in the currently running code. Remember how we wanted to see what p
was? It's now shown here. We can see that p
equals:
function verifyInviteCode(code){var formData={"code":code};$.ajax({type:"POST",dataType:"json",data:formData,url:'/api/invite/verify',success:function(response){console.log(response)},error:function(response){console.log(response)}})}function makeInviteCode(){$.ajax({type:"POST",dataType:"json",url:'/api/invite/how/to/generate',success:function(response){console.log(response)},error:function(response){console.log(response)}})}
An Interesting Function
Just looking at this, I'm noticing that there are a bunch of custom program functions that the website is defining, including makeInviteCode()
, which looks helpful.
We're going to run this function manually. To do so, we hit F8
on our keyboard to let the program continue running. Now that the website is running normally again, we type makeInviteCode()
into the text box at the very bottom of the Devtools window so that we can run this custom function.
Upon hitting Enter
, we can see that it returned an array to us, which we can expand to view.
Base64
Looking at the output of that function, we can see that it gave us some data SW4gb...
, and says that the enctype
is BASE64
, which is a different way to encode text. Let's copy that data stuff, and search google for "BASE64 decoder". This led me to base64decode.org, which we can paste that data into, and hit "decode".
Awesome! We can see that it decodes to some stuff about making a POST request to /api/invite/generate
. Since that location starts with a /
, we need to put the website at the start of it, which gives us https://hackthebox.eu/api/invite/generate
.
POST Requests
To make a POST request, I'm going to cURL, which is available on Linux, Mac, and ChromeOS. I'm going to run the command below:
curl -XPOST https://hackthebox.eu/api/invite/generate
This command essentially means, we want to run curl, we want curl to make a POST request, and we want that POST request to go to the generate key URL.
Hack the Box's API returned this for me:
{"success":1,"data":{"code":"VlhIS0otTlROQ0YtS1lNSFotTUJLQkotTEdQV0o=","format":"encoded"},"0":200}
Base64 and Finishing Up
Notice that the code ends with a =
, which means that it is likely BASE64 encoded again. Following the same steps as before to decode this returns my key, which when used as an invite code brings me to this page:
That's it for making an account! No more weird stuff, just fill out the form and you'll have an account.