Hack Your Way into HackTheBox: A Relic of the Past

Back in the day, joining the ranks of HackTheBox (HTB) wasn’t as simple as filling out a form. You had to earn your place. HTB, a platform for practicing and learning cybersecurity skills through hands-on challenges, used to require prospective members to solve a web-based challenge just to get an invite code. This was a brilliant way to filter out the, ahem, script kiddies, who weren’t serious about putting in the effort. This challenge was active roughly from HackTheBox’s inception in 2017 until sometime in 2023, when they switched to the current open registration.

This post dives into the nostalgic depths of that original challenge, walking through the process and the underlying concepts. Even though it’s no longer a requirement for joining, understanding the old method is a great lesson in web development, security, and the hacker mindset.

The Good Ol’ Days: Hacking for an Invite

The original HackTheBox invite process involved a simple-looking webpage with a field where you could request an invite code. But, of course, it wasn’t actually that simple. Clicking the button wouldn’t magically grant you access. Instead, you were expected to dig into the website’s code, identify vulnerabilities, and exploit them to generate your own invite code.

The challenge centered around JavaScript and, specifically, making an API call to a specific endpoint that, if called correctly, would return the precious invite code.

Deconstructing the Challenge

The core of the challenge involved finding and understanding two key JavaScript functions. These were usually (though the exact names and structure could have varied slightly over time) found within a JavaScript file named inviteapi.min.js. You would have to look though the source of the index page to find it.

While the original inviteapi.min.js is no longer available on the live site, the core logic was well-documented by those who solved it. The critical functions were similar to these:

// This is a reconstructed example, not the exact original code.
function makeInviteCode() {
    var e = new XMLHttpRequest;
    e.open("POST", "/api/invite/how/to/generate"), e.setRequestHeader("Content-Type", "application/json"), e.onreadystatechange = function() {
        if (4 == e.readyState && 200 == e.status) {
            var t = JSON.parse(e.responseText);
            //process the data to get the next step
            console.log(t)
        }
    }, e.send()
}

function verifyInviteCode(inviteCode) {
  //placeholder, this function doesn't exist, we are creating the makeInviteCode!
}

Let’s break down what’s happening here:

1. makeInviteCode(): This function is the key. It uses XMLHttpRequest (a standard way to make web requests from JavaScript) to send a POST request to the endpoint /api/invite/how/to/generate.

2. POST Request: The POST method is typically used to send data to the server. However, in this case, the challenge cleverly used a POST request to retrieve information. This is unusual, and part of what made the challenge interesting.

3. /api/invite/how/to/generate: This is the crucial endpoint. By making a request to this specific URL, the server was designed to respond with data that would help you generate the invite code.

4. setRequestHeader: This line sets the Content-Type header to application/json, indicating that the request body (even though it’s empty in this case) is in JSON format. This was important for the server to correctly process the request.

5. onreadystatechange: This is an event handler. It defines a function that will be executed when the state of the XMLHttpRequest changes. The code checks if the request is complete (readyState == 4) and successful (status == 200).

6. JSON.parse(e.responseText): If the request is successful, this line parses the response from the server (which is expected to be in JSON format) into a JavaScript object. This object contains the encoded data.
7. console.log(t): This line logs the returned data to the console.

The Solution: Step-by-Step

Here’s how you would have tackled the challenge:

1. Inspect the Source Code: Open the HackTheBox invite page in your browser and view the source code (usually by right-clicking and selecting “View Page Source” or using your browser’s developer tools).

2. Find the JavaScript: Look for <script> tags that include external JavaScript files, particularly those with names like inviteapi.min.js or something similar.

3. Identify the makeInviteCode() Function: Within the JavaScript file, locate the makeInviteCode() function (or a function with a similar purpose).

4. Call makeInviteCode() from the Console: Open your browser’s developer tools (usually by pressing F12) and go to the console. Type makeInviteCode() and press Enter. This executes the function, sending the POST request to the server.

5. Analyze the Response: The console should display the server’s response, which will be a JSON object containing encoded data. It’ll look something like this:

   {
       "data": {
           "data": "MjAxMC0wMS0wMSB0byAyMDIzLTAxLTAx",
           "enctype": "BASE64"
       },
       "status": 200,
       "success": 1
   }
   

6. Decode the Data: The response includes a "data" field and an "enctype" field. The "enctype" field tells you the encoding method (usually BASE64). Use a BASE64 decoder (either online or through a command-line tool) to decode the value in the "data" field. in powershell, this would be:

   [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("MjAxMC0wMS0wMSB0byAyMDIzLTAxLTAx"))

or in bash:

    echo "MjAxMC0wMS0wMSB0byAyMDIzLTAxLTAx" | base64 -d

1. The Next Step: The decoded data will often provide instructions or a further hint. Often, it revealed an endpoint like /api/invite/generate.

2. Make a POST request to the final endpoint: Using your browser’s developer tools, or a tool like curl or Postman, make a POST request to the endpoint discovered in the previous step (e.g., /api/invite/generate). You don’t need to send any data in the body of the POST request. in powershell:

   Invoke-RestMethod -Uri "https://www.hackthebox.com/api/invite/generate" -Method Post
   

   or in bash:

   curl -X POST https://www.hackthebox.com/api/invite/generate
   

3. Receive the Invite Code: The server’s response to this final POST request should contain your invite code, also likely encoded in BASE64. Decode it, and you’re in! The returned JSON will be similar to:

   {
     "data": {
         "code": "T1BFSVJBLU5PVFJFQUxJVFktQ09ERQ==",
         "format": "encoded"
     },
     "success": 1
   }
   

   Decode the code from BASE64.

4. Register on HackTheBox: Go back to the HTB invite page and enter the decoded invite code. This would then allow you to proceed with the normal registration process (username, password, etc.).

The Easy Way (Now)

Of course, all of this is now a historical curiosity. HackTheBox has simplified the registration process. You can now simply visit their website, click “Join,” and register with a username, email, and password, just like most other online platforms.

While the original challenge is gone, the spirit of learning by doing, exploring, and thinking outside the box remains at the core of HackTheBox. This trip down memory lane serves as a reminder of the ingenuity involved in both creating and solving cybersecurity challenges. The old invite system was a great example of how to gamify security education and attract those with a genuine interest in hacking. And who knows, maybe they’ll bring back a similar challenge someday!