Get Hack the Box Invite

Note: If you love cheating, you may proceed to the rest of this page.

PS: This is for the complete beginner.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.

I first encountered this website when Emman Reed, the speaker of Cyber Security Code Camp by DEVCON PH challenged us to hack our way in last October 26, 2019.

Not a cyber security expert but I’ve already read and tried some of the basics about VAPT & you know, some of the dark arts.

Alright. I know you only come here for the how-to. Let’s start.

To be able to create your own account, you must proceed to this site:

But before going through, you must have an invite code. Which of course, how? .. hack your way in.

You know de wei? I know de wei.

  1. Right click the page > Inspect Element or go to your browser’s option > More Tools > Developer Tools or hit Command+Option+i in your keyboard for Mac or simply F12

2. You’ll see this at the console. The first clue. Hmm so what’s next 🤔

3. Next is to explore the Sources. Hmm. kay? What’s in here. I’m not a web developer, but basically you will see the content of the website and as far as I know web devs used JS mainly for the actions and functionality of the website to make it dynamic. What’s in it?

4. Alright, js folder has two js files : htb-frontend.min.js which doesn’t spark my attention and inviteapi.min.js which obviously related to the thing we’re looking.

5. As you can see, it has a sketchy function. Somehow we need to call this function.

Because I am new to this and stupid, Ive tried to compile this function, tried to run and see the response. But it failed. Of course. And this line caught my attention. So… after a bunch of research I bumped into the Console, where we started.

6. This makeInviteCode is another obvious clue to use. So let’s go to the Console tab and simply type makeInviteCode().

7. Now we have the encrypted string : Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/vaivgr/trarengr and we have to decode it using ROT13.

8. You may google ROT13 decoder and choose any online decoder.

9. My decoded string was “In order to generate the invite code, make a POST request to /api/invite/generate”. Alright, now we need to do an API call with POST method. You can use Insomnia, Postman, or just a terminal (using curl) to do it.

You need to add the base url to /api/invite/generate to do it. with POST method.

10. You will get a response code which is encrypted. To decrypt it we will use the Base64 decoder @ And voila! You now have your invite code. Just copy and paste it to the Invite Code text box and it the Sign up button :D

Yikes. Hacker ka na.

Thanks! Happy hacking :)

Android Developer | Newbie