Introducing Seven, a Discord Bot for Hack The Box Teams

Increase efficiency and profit with smart, real-time queries about HTB targets, members and activity!

As a member of the Hack The Box offensive security training site, you have access to a tremendous resource for leveling up as a red team security professional (or enthusiast). However, the variety of challenge types, security focus areas and levels of difficulty can be overwhelming, and while the user community on the HTB Forums and Discord Guild are generally very supportive and friendly, perhaps the best way to keep on track and informed is to to be part of an active HTB Team. Teams, as the name suggests, allow site members to group together formally and compete for rank on the site. Informally, teams offer the benefits of knowledge sharing and peer motivation, which can help members gain more from the platform.

Okay, teams are great. Why Seven?

Shortly after my own Hack The Box journey begin, I was invited to join the Dutch CommandlineKings team as part of an hiring spree by its captain. I was thrilled (not least because I was searching for employment in the Netherlands as a foreigner at the time). My team was fresh and had a lot of really great talent and experience, and I was able to invite some of my own friends from the site as well. However, the team was based on Discord (as many HTB teams are), and I realised quickly that there was a disconnect between HTB activity and the Discord guild. Wonder if your guild pal @squirrel45 did Monteverde? You’d need to launch and login to the HTB site, search for the user (praying their username on HTB was the same as their Discord tag), and then search their profile manually for “Monteverde” to see if that ownage ever happened:

Looks like @squirrel45 did the deed!

Imagine another common scenario — someone’s just mentioned how great / terrible / mediocre a challenge they just owned was, and you’ve got to check it out. This is 2020 though, and you can’t be bothered to go through that dreadfully-slow HTB login and lookup nonsense. Why couldn’t you get all of that sort of non-private info directly from Discord, without ever lifting your fingers from the keyboard?

So there’s a divide between teams and their HTB data. How does Seven help?

Seven is a conversational, machine-learning-based chatbot designed to connect Discord-based teams with Hack The Box data in realtime. She’s easy to talk to, and tries hard to be as unpredictable as you are (typos, quirky remarks, GIFs and the like). She’s more than an assistant — she’ll be a valued member of your team. 🍉

Use case

Pretty much any useful question you can think up about a team member (including yourself, of course!), HTB target, or the team itself, Seven will try to answer for you.

Wonder if @squirrel45 did Monteverde?
Seven can tell you.
Wonder who can help you with Multimaster?
Seven knows that too.
Wonder how the team is doing, rank-wise?
Seven has got your back.
Wonder where @squirrel79 is located and what toothpaste they use?
Try the CIA. (Seven will get you the profile info, though).

Intelligence

To lower the bot’s learning curve, Seven is built on top of Google’s DialogFlow intent matching platform. What that means in practice is that Seven will understand most wordings of the questions she’s trained to handle. There aren’t any trigger words or /getinfo etc. Just talk to her (in English):

"seven who am i?"
"who's on top seven?"
"seven team info"
"what retired web challenges have squirrel42 and I not done yet?"
"seven, can you help me hack multimaster?"
"what's new?"

Note: To get Seven’s attention in a channel, just say something with “Seven” in it somewhere, e.g. “seven, team flagboard”. If you’re in a DM (the easiest way to talk to Seven), there’s no need to mention Seven by name.

Discord Association

Aside from having to manually dig up information through the HTB web interface, the main problem Seven was designed to solve was linking Discord users to their Hack The Box accounts. To self-associate, team members on Discord can say “[Seven,] I am [username] on htb” or similar.

It’s that easy!

This will make it possible to query accomplishments / statistics for HTB users based on their Discord account, in cases where the username and tag aren’t the same. An associated account will be indicated by bold text and a cyclone emoji next to the username, in most Seven responses:

Furthermore, after associating your Discord account you can easily make ‘self’ queries, e.g. “what rank am I”, “my progress”, “my last 30 challenge owns” and so forth.

Privacy note: If you’d like to disassociate / unlink your Discord account, or have your HTB account excluded from results altogether, just indicate that in a message and Seven will perform the relevant disassociation.

Show me some examples!

Seven knows a lot about about several different HTB-related entities (members, boxes, challenges, endgames, and the like), and is also always down to socialize (No GPT-3 magic, though— sadly, my research application received no response 💔). In this section, a handful of the most useful query types are documented.

Team Information

Teams are, obviously, what Seven is all about. So it make sense that she’d be aware of the team’s HTB presence!

Fancy a nice infobox about the team as a whole? Just call out the team moniker or something like “team info”:

Team details, still crispy and hot.

You can also view the current team leaderboard:

As well as a number of other stats:

Geodiversity and current team leader embeds

Hack the Box Targets

Targets are the meat-and-potatoes of the Hack The Box experience. Currently, Seven can only answer questions about Machines and Challenges, as the new HTB v4 API does not have endpoints for Fortresses, Endgames or Pro Labs yet (these should be available soon, at which point the remaining target types will certainly be integrated).

Need basic information and connection address for a box or submission? Just type its name (or a nickname I might have added) for a nice infobox. Notice the spoilers below the basic details? Those can be revealed character-by-character, and are only available for retired boxes (for obvious reasons) and are based on data available through the HTB API.

Discord’s anti-designer mechanisms: 0 | Seven: 1

What about similar information for a challenge? Once again, just provide the name for a nice overview:

Want to filter and sort HTB targets based on any number of factors (X completed / didn’t complete, rating, release date, difficulty, category, type, attack path (for retired machines))? Seven’s pretty good at understanding what you’re looking for and listing those:

Team Members

Members — what would your team be without them? You can ‘research’ (i.e. stalk) your fellow members (and yourself) to your heart’s content, via these useful question types.

Let’s start with a basic information box (just mention a member by name, or say ‘who is X’/ ‘whoami’):

Note that pieces of information will be filled as available. Add a description and social links through the new site redesign! 😊

This will show information on Fortress / Endgame / Prolab completion, if available:

You can easily see what a user’s been up to (limiting the number of owns or specifying target type, if desired):

Or check if they owned a target or not:

Or get a general progress chart based on a time interval (one of 1Y, 6M, 3M, 1M, 1W):

You can also check rank, naturally:

Getting Help / Usage Guide / Developer guidelines

Just say “[seven] help” to get information about what Seven can do! (Note: these docs may be outdated depending on how busy / lazy I am at the moment):

It’s also possible to find documentation and source on the Seven GitHub repo, as well as code documentation (for those intrepid developers looking to hack, fork or recreate some part of the bot).

I’m sold. Where do I sign up?

You want Seven? Of course you do.

“The team is gonna worship me. Global top 10, here we come! 💪”
— You, reading this

Well, you can set Seven up for your team, for zero internet bucks. It will require a little effort (~30 minutes), but nothing too challenging or technical.

There are four elements you’ll need to get Seven up and running, all free:

• A Hack The Box account (your API access will be used for queries)
• A Discord account (your bot will be linked to this)
• A Google DialogFlow account with API access
• A NodeJS + PostgreSQL server (Heroku has everything you need)

Don’t worry, it’s not too terribly difficult to get all of these accounts up and talking to each other. There’s a complete guide to get a Seven instance up and running for your team (or university) here: Deploying Seven (a Hack The Box Discord Bot for Teams)

Support

I develop Seven for fun and not for profit, but if you think it’s a cool project, please give the repo and this post a star / clap / like. Like most developers, I’m fueled by downloads, comments and likes 🙂 If you have cash burning holes in your pocket, I’d also love to see a few dollars for a coffee. (100% of proceeds will go to convincing my wife I’m doing something important). 😅