Dynamic Root Flags To be Introduced?

edited March 19 in Machines

Good morning everyone.

I was surprised to see a new development being made regarding how the ROOT flag is generated. I was informed by a user in an unofficial HTB discussion thread in the Discord that from next machine onwards each ROOT flag will be different for every user, I mean the flags are dynamic from user to user.

Well, this is a good development if you see from the point of view of HTB and its affiliates, however this will definitely make their life harder for the one who just buy flags from different sources just for the sake of the “HTB RANK”.

As a blogger this will as well make my life harder because I cannot publish my write-ups protected with the root flag.

I as well see this new change will let flag sellers make more money by changing their business by becoming a “Write-ups” seller.

Thoughts?

NS.

Comments

  • I think this is already in place. Recently, I revisited one active box and was surprised to find a different root flag.

    limbernie
    My write-ups of retired machines | Discord - limbernie#0386

  • edited March 19

    Type your comment> @limbernie said:

    I think this is already in place. Recently, I revisited one active box and was surprised to find a different root flag.

    Possibly yes, I was contacted by a couple of users saying they were not able to unlock my articles using their flags.

    Well, if this is already in place, I don't see an updated changelog?

    NS.

  • Hi!

    I agree with you that "selling root flags" won't really be stopped by this approach, since people could start selling write-ups instead. But then there would at least be some little skill involved to get everything to work.

    I think this measure would be a bit like locks for bicycles. It doesn't really stop anyone who really wants to steal/cheat, but it might at least stop "casual cheaters" that "stumble over" the root flag when researching the box or might just copy it from somewhere out of frustration.

    About your blogger kind of view: It's a bit of a bummer that interested readers can't read your write-up after rooting the machine themselves. But you're not really loosing any real traffic etc., since you can't make it public anyway, I presume?
    Still, I understand that it's nice and handy to publish the write-up like you're doing.

  • why dont you publish your writeups after retirement ?

    peek

  • Type your comment> @peek said:

    why dont you publish your writeups after retirement ?

    I get it, publishing writeups before ippsecs videos go online is his "unique selling point" that would be lost if dynamic flags are introduced.
    Having this in place exclusively for people who rooted the box already isn't gonna give him a large number of views but rather a certain number of views he can rely on.

    These writeups are great if you just walked through a box and want to look up what you did wrong or managed to do something without understanding why it worked at all.

    Blogging these days is pretty hard, most people don't read blogs or interact much with the web anymore. Log at the comments section on bigger news outlets, nothing. Smartphone days..

    Feel with OP but don't really have an idea what to do. Maybe you can contact HTB and they allow you to place a second "writeup" key next to the root key? That might as well be dynamic, just you need to have the algorithm, too.

    Hack The Box

  • I find this very disappointing , as others have commented reading the write ups is one of the first things I like to do when I have rooted a box :unamused: it is a great learning tool. Waiting months to do this.... having to go back when things are fresh.... is definitely sub optimal :disappointed:

    CurioCT

  • @sparkla said:

    These writeups are great if you just walked through a box and want to look up what you did wrong or managed to do something without understanding why it worked at all.

    This ^^^^.

    Most boxes have several paths to a solution and there is a massive learning value to seeing how other people do it. Yes, you can wait until it retires but there comes a point at which that largely kills the learning value from HTB.

    I absolutely LOVE @nav1n's walkthroughs. On almost every occasion I've found a better/faster/more consistent way to complete a step compared to how I had done it originally. Even recently, with traceback, after I eventually got root, thanks to flag protected walkthroughs, I was able to read a write-up and find out something I'd given up on would have worked if I'd learned how to work it.

    For me, this is not an improvement.

    If you are going to buy a flag, you can buy a walkthrough. This won't prevent the underlying problem and, at the end of the day, it is a game. If people are spending money to get HTB rank... wtaf? But are they worse than people who ask for hints on every single step?

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • if the flags are different for every user, maybe there's no more reason to password protect writeups? :naughty:
    I mean, lazy lamers still have to walk through the box because the flag is different. Maybe it's a chance they learn something for real by reading the writeup instead just copypaste flags lol

    TheJ0k3r

  • Type your comment> @TheJ0k3r said:

    if the flags are different for every user, maybe there's no more reason to password protect writeups? :naughty:
    I mean, lazy lamers still have to walk through the box because the flag is different. Maybe it's a chance they learn something for real by reading the writeup instead just copypaste flags lol

    HTB policy doesn't allow publishing unprotected writeups on active machines.

    Hack The Box

  • edited March 19

    @TazWake said:

    If you are going to buy a flag, you can buy a walkthrough. This won't prevent the underlying problem and, at the end of the day, it is a game. If people are spending money to get HTB rank... wtaf?

    Like I said in another thread, these badges do have an actuall value. In the careers section of HTB jobs do require a certain rank, albeit that rank is usually "Noob" or "Hacker" for all I've seen.

    But are they worse than people who ask for hints on every single step?

    Yeah. One is 100% cheating. The other is not knowing or being a lazy a**, broke mf. :D

    Hack The Box

  • @sparkla said:

    Like I said in another thread, these badges do have an actuall value. In the careers section of HTB jobs do require a certain rank, albeit that rank is usually "Noob" or "Hacker" for all I've seen.

    Totally agree they have value, but I think that's wrong - they shouldn't have. I am omniscient and if you hired me as a pentester you'd be an idiot :smile: I cant imagine any company giving someone a job simply because they have a certain rank on HTB. It might open a job advert but that's just recruiters playing games.

    The problem with people buying flags to level up is largely self-induced. And now the solution to the self-induced problem makes the platform less fun and a tiny bit less learning for people.

    Look at places like TryHackMe.com - you can root a machine by yourself or you can read the walkthrough, some of which give you the flag to paste in yourself. Levels still exist and there is a leaderboard for gamification but it takes itself a bit less seriously over this.

    BTW - I am not disagreeing with you here, I am more ranting at the cosmos.

    But are they worse than people who ask for hints on every single step?

    Yeah. One is 100% cheating. The other is not knowing or being a lazy a**, broke mf. :D

    Again, the ethical judgement exists but once the flags are got and the rank is achieved, you can't tell.

    If the rank "matters" then all of them are equally bad ways to get there. You cant tell if someone got to "hacker" by skill, clever reading of the forums, asking millions of questions until they get effectively a walkthrough, or buying the flags. If you are hiring, you only want the first one (possibly the second for an OSINT role :smile:).

    Personally, I'd rather more effort was put into keeping boxes stable and stopping people deleting crucial files than stopping people buying flags and reading walkthroughs.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @TazWake I guess we agree on most parts although we're largely going off-topic here.

    OT START:
    As food for thought: You should not undermine your own value, that does also undermine other people's value. I really don't like people that are like "Hey I'm not a programmer, but.... I've thrown this script / website / younameit together and it's working better than that stuff of you so-called programmers" - At the point you're starting to program you're becoming a programmer. The rest you only say to cover your own noob-a**, and you do that in an arrogant way, comparing your copy-cat work to elaborated work.
    Or like a famous x86 architect recently said on an interview "It's incredible efficient to execute a recipe and that has almost nothing to do with doing ground work and studying aka development." One should not undermine the value of the other and both should not be compared.

    I started to program when I was about 10 years old. Have I been a programmer back then? Certainly not. But I continued, so I became one.

    You may not be a fit for a pen-tester at this point, but I doubt that after 2 weeks of working as pen-tester you'd still have a huge amount of issues and were completely non-fitting for the job.

    I'd be interested, after you said that couple of times, why you think that? What basic or advanced skill do you lack?

    Not that I would know what skills are required for a pentester, but certification training I did was basically a joke, content-wise. And a forensic cert by a retired US-Policeman, nothing against him, but it's so dated and far away from current tech standards in security that I would know of, and I couldn't pay for it right now... I don't mean to bash it or say it's ultimately bad, just that there's 2 sides to the certification medal.

    I agree that the badge alone won't land you a job, but it might land you an interview. Yet having that badge in your portfolio along with the rest: demo work, recommendations of previous employes, certifications, diploma, .... and just some regular good old writing, accounting and math skills, like you said before, it makes a difference, it shows some hands-on experience on the matter security.

    We should not aim for "perfect" candidates when it comes to jobs, we might not like what we're gonna get. We should separate the "skilled & hard working" from the "unskilled & no intend to change that" and that's it for me.
    OT END:

    Hack The Box

  • Hack The Box just released some info about these changes: https://www.hackthebox.eu/press/integrity-of-hack-the-box

    They also have some good suggestions for your problems on there!

  • @sparkla said:

    @TazWake I guess we agree on most parts although we're largely going off-topic here.

    Yeah and I am sorry to everyone for taking this off on a tangent.

    OT START:
    As food for thought: You should not undermine your own value, that does also undermine other people's value.

    Very good point. It certainly wasn't my intent so I will rethink how I express myself.

    I really don't like people that are like "Hey I'm not a programmer, but.... I've thrown this script / website / younameit together and it's working better than that stuff of you so-called programmers" -

    For me this is certainly not the case. I very, very rarely have a good solution to boxes and it is nearly always monstrous amounts of error - thats why walkthroughs are essential for me. Completing a box is a single step on the journey for my learning. Yes I can wait until the box retires but by that point my own mistakes & thinking is a distant memory.

    One should not undermine the value of the other and both should not be compared.

    Totally agree - in my case it is the value of others which gives me any hope :smile:

    You may not be a fit for a pen-tester at this point, but I doubt that after 2 weeks of working as pen-tester you'd still have a huge amount of issues and were completely non-fitting for the job.

    So dont get me wrong. If you hired me as a junior pentester I would grow into the role, but then most people could. I've done lots of "pentester" courses and I know the principles but there is significantly more to that - including an exploratory mindset.

    My point is not that I could never be a pentester - it is probably more that I know dozens of superb pentesters who are ranked Hacker at best here, my HTB rank doesn't reflect anything in the real world.

    I'd be interested, after you said that couple of times, why you think that? What basic or advanced skill do you lack?

    Well, I suck at AD exploitation and binary reversing :smile: but I am not sure that is the point. There is an element in that I am ok at reusing other people's exploitation techniques but struggle a bit to create original exploitation.

    I agree that the badge alone won't land you a job, but it might land you an interview. Yet having that badge in your portfolio along with the rest: demo work, recommendations of previous employes, certifications, diploma, .... and just some regular good old writing, accounting and math skills, like you said before, it makes a difference, it shows some hands-on experience on the matter security.

    This is 100% something I agree with. But thats also why I think the badge is effectively meaningless. If hiring managers are using that as the only entry point, then yeah, turning this into OSCP type badge makes sense. In reality its one thing in a big package. If the person has all those other things then I wouldnt care if they bought the rank or not.

    OT END:

    Yeah - again, sorry for going on tangents but it does interest me!

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • https://www.hackthebox.eu/press/integrity-of-hack-the-box
    i think this is the best method trace users


    Lab Activity

    We will be utilizing network information collected from the Labs and activity pertaining to Challenges, specifically whether or not a Challenge has ever been started or downloaded to verify legitimacy of each own. The information we collect is basic (source user ID, target machine/challenge ID and timestamps of observed interactions), but can give us a good understanding of how users interact with Machines and Challenges. While we will not be preventing users from owning Machines without any interaction, this is something we will be keeping a very close eye on, and will potentially implement further mitigations to prevent this kind of behaviour in the future.
    ******> @nyckelharpa said:

    Hack The Box just released some info about these changes: https://www.hackthebox.eu/press/integrity-of-hack-the-box

    They also have some good suggestions for your problems on there!

    0zxyx

  • OT:

    @TazWake said:

    Yeah - again, sorry for going on tangents but it does interest me!

    Me too. Guess I'm the one to blame for OT. Would love to continue the discussion on a separate thread or via PM, not sure if I stole too much of your time already? I think carreer and HTB is a really important topic, as well as the grey area between learning and steeling. ;)

    Please don't think I tried to argue with you personally - it's been more an expression of my political and ethical views. I often struggle to express what I mean in a foreign language and step on other's toes without noticing. I didn't mean to say that you're that kind of guy (the copycat programmer), just a picture that came to mind to describe the situation in general.

    END OT:

    Hack The Box

Sign In to comment.