Integrity of Hack The Box

edited March 19 in News

Dear all, after a lot of thought we decided to implement the following changes to ensure the integrity of Hack The Box and make HTB a place that is fair for everyone and the purpose of it is to learn and educate yourself. Read it thoroughly and HTB Stuff is here to answer any questions you may have. Happy Hacking, Play Fair and always Think Outside The Box! :smile:
https://www.hackthebox.eu/press/integrity-of-hack-the-box

Tagged:

Comments

  • Very interesting stuff - I find it fascinating to see how you guys handle the types of problems that inherently come with a platform such as this. Keep up the good work!

    5ysk3y

    For assistance:

    1) Plz msg me via the main HTB messaging system, not the forums or my wall
    2) Give me some insight as to what you've tried already, or ideas you've moved past
    3) Don't expect me to give you the answer-- that defeats the object of being here.

    If you find my assistance useful, in any case, please consider clicking that awesome respect button on my profile!

  • edited March 19
    There is one issue I see with the flag rotation:
    Currently, the submission of older flags is enabled. But in the future this will not be possible anymore. Seeing how people constantly go on a reset spree on machines like e.g. Traceback, this will cause major issues. Imagine that you just manage to get the flag right before it gets reset. Now, when you submit the flag (which takes at least a few seconds), the flag is invalidated and a false flag submission gets logged on your account. Doesn’t seem fair to me, to be honest.
    On machines like Traceback you also just can’t get right back to the user/root account. So you might happen to repeat to submit an old flag again and again, simply because some players reset the machine, right after it booted up, again. Sure, there’s a 2 minute waiting time before it gets reset, but that might happen to be just enough to get the new flag, but not to also submit it.

    Just my 2 cents ;)

    Hack The Box
    GREM | OSCE | GASF | eJPT

  • So its HTB's trainset and I am not going to argue with their choices but I think this is solving an unimportant problem while boxes like OpenAdmin, Traceback and Book could do with more effort in providing stability. (And I wish people would put critical Linux files as immutable).

    Things I'd be curious about - is there a difference between an "old" flag and simply the wrong flag?

    Are there any repercussions? If you submit an old flag do you get banned, warned or is there is a threshold?

    I've just re-done traceback and its the exact same flag as when I did it on Sunday (and as far as I can tell the same flag for people on a different VPN). Does this mean it hasn't been fully implemented yet or is there a glitch (which opens the door for false positives on the "cheater" alert)?

    Lastly - should we be stricter with the advice we give out in private messages? Some people will ask enough questions to basically have the flag handed to them and others ask several people to piece it together. This means their flag/rank is not the same testament to their skill as the person who didn't ask any questions.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Now, when you submit the flag (which takes at least a few seconds), the flag is invalidated and a false flag submission gets logged on your account. Doesn’t seem fair to me, to be honest.

    I agree. But since "old" flags are tracked anyway(If I understand correctly) maybe there should be "claiming window" after each reset - for example half an hour. Maybe it is there already, but not announced to prevent race of the flag sharing?

    sparrow1

  • I like the changes. To address @HomeSen issues, you can also keep a window with Shoutbox open so you can cancel resets while you are working on something. When I was on free tier, that's what I did. Paying to be VIP (well worth it for the training and CPEs I get) has made that less of an issue for me now.

    OSCP, SSCP
    seekorswim

  • @HTB I do like the changes, cause to me the badge means quite a lot in terms of career - it should be a somewhat validated marker in that regard and not be given inflationary. Still I hope for the write-up guys to get some support so they can continue.

    TazWake said:
    So its HTB's trainset and I am not going to argue with their choices but I think this is solving an unimportant problem while boxes like OpenAdmin, Traceback and Book could do with more effort in providing stability. (And I wish people would put critical Linux files as immutable).

    I second that, although as a pretty new guy I feel I may be mouthing a bit too much, these technical issue cost me a fair bit of hours & nerves. In addition it had a negative effect on learning and also on "playing fair". When I was done with Traceback I only wanted to run away and never look back, not cleaning up behind me - albeit I see there's limited responsibility from the HTB team regarding that "rampage" (still not sure where that came from)... more control over reboots could be a place to start.

    Lots of my issues arose from unstable VPN connections and I would love to see these investigated. I had most issues when I used a Wifi connection, once that wasn't 100%, VPN started to break down or never connected at all. If I'm not mistaken (and I hope I don't give IRL spoilers) HTB is running on AWS, my experience with them is mixed in terms of routes, of course they'd never admit and always show green light.

    But before other people slam this thread with more feedback - is there actually a bug tracker for the HTB service in general? Maybe that's a place to start! :)

    Lastly - should we be stricter with the advice we give out in private messages? Some people will ask enough questions to basically have the flag handed to them and others ask several people to piece it together. This means their flag/rank is not the same testament to their skill as the person who didn't ask any questions.

    Even though I've been asking a fair bit of questions myself lately I wouldn't mind that. Not sure how to implement. I'm absolutely against surveillance of private messages. @TazWake don't get me wrong, I said it before and that's what I meant. HTB cannot be "World Police", people buy ranks, certs, diploma, .. in the end, if you put enough on the table you can buy the whole man and he will rank up your account, that's what I know from esports.

    Hack The Box

    BYONC (Don't steal, my T-Shirt)

  • edited March 19

    Type your comment> @r0adrunn3r said:

    Dear all, after a lot of thought we decided to implement the following changes to ensure the integrity of Hack The Box and make HTB a place that is fair for everyone and the purpose of it is to learn and educate yourself. Read it thoroughly and HTB Stuff is here to answer any questions you may have. Happy Hacking, Play Fair and always Think Outside The Box! :smile:
    https://www.hackthebox.eu/press/integrity-of-hack-the-box

    Awesome work,
    Keep up the good work @HTB

    Always happy to help others and remember to +respect me if I helped you ; )

  • Good work from @HTB

    The purpose of this action @HTB is stopping "sharing flag among any parties (Free/VIP Team)". I think it can somehow mitigate the sharing flag but not that effective because it works only after RESET. Some machines will encounter issues since they are rapidly reset like what @TazWake mentioned.

    I guess there are 2 purposes @HTB wants to do so far are
    1. Integrity
    2. Marketing for VIP account

    The availability issue (Rapid reset) is not a MAJOR concern for FREE tier so far. It is a kind of marketing strategy for VIP $$. The concern here is how to keep integrity valuable.

    Integrity is quantified in terms of ranking. Ranking can be composed by activities in HTB. The activities that can be identified by the official is obtaining flags and write-up.

    Write-ups should show the value here as it is a kind of solid evidence that the writer/user knows how to obtain the root flag. Even they have the same flag, it is not that easy to write a report. Some control shd be there to increase the effort of an "approved" write-up. So, even there is a copy cat, the cat needs to pay a great cost to earn the "ranking". This can protect the value of ranking/integrity.

    Or, @HTB can make some special hacking event with a limited time slot and count them in the ranking. Or, some challenge to script an automatic attack.

    Just some brainstorm from a new guy =].

    CISSP
    Hack The Box
    ++Repect If you think I help =]

  • This is a great work @HTB!!

    I'm a new member, but the community in discord and forum are super participative. However flag's share is very bad for the community growth.

Sign In to comment.