Updated on February 15 2020 • Martin Shishkov

How I Got Into Hack-the-Box? (fun)

Here I explain what I did in order to get a registration at hackthebox.eu

HackTheBox (https://www.hackthebox.eu/) is a training ground for wannabe hackers where you can put your skills in various hacking challenges to the test.

The fun part is that in order to create an account you have to use your BRAIN. What do I mean? Well, take a look:

This looks interesting but it doesn't give us much clue what to do. My first guess was to look at the browser developer console:

Well, that looks strange. This hacky skull thing got me thinking I'm on the right track so I thought for a bit and decided to take a leap of faith (of some kind). What I decided to do next is to search for some variable or function declared in some of the javascript files that had something to do with 'invite code' in its name:

Voila! We hit home! Now, let's see what happens when we call this makeInviteCode() function

Wow! There are some data and encoding type fields coming from an AJAX request. This is pretty self explanatory - that 'data' string is encoded with this encoding (BASE64).

So, off we go to decode it. Popping the first online base64 decoder there was, we get the following result:

We managed to decode the hidden message which says we have to make a post request to this endpoint: /api/invite/generate

I follow the instructions...

Again, we get an encoded text. This time we don't have the encoding specified but it pretty much seems like base64 again. So we decode it again:

And this VUJQE-CJOZY-QMOHG-DOMVC-VYGIK is our invitation code that we need to register!

To be honest, I did that about a year ago and I decided to show how I did it. Now, as I think about it you can just guess the register URL: https://www.hackthebox.eu/register and skip all of the previous steps! Have fun :)