So how do we protect write ups now?

I saw the thread the other day about how root flags will be dynamic now so people can't share them. But obviously we normally use the root flag to protect write ups for live machines.

Everyone seems to agree that its good to read other people's write ups once you've completed a machine to see how they did it differently, and we don't want to wait months to do that.

So what's the official answer to this problem? Do we just use the admin password as the password for our write ups? I think that idea was mentioned in the original thread but I don't think it was given as like a definite instruction saying that's what we should do. What has everyone else been doing?

«1

Comments

  • I dont think there is a good answer yet - other than, for now , write ups are dead.

    The admin password of the box is only an option for some boxes. Quite a few of them are rooted without ever finding it. Quite a few boxes are rooted by an exploit exposing the flag and nothing else. Take the retired box RE, for example, getting the admin password is basically getting the user flag. You never get the final password.

    I get that this is a valid decision by HTB, who are keen to present rank/score as something with value but, for me, it does reduce the value & fun of HTB.

  • yeah good point, and you're right it is quite a big hit to the amount you can learn from HTB.

    The best solution would be for them to allow us to submit write ups for live machines but make them only accessible to people who have submitted a valid root flag for that machine. Seems like they already have everything you'd need for that too. The site can obviously tell if you've owned a machine, and already has the ability to store write ups for each machine (but only for retired boxes at the moment). Really hope they can implement this some time soon

  • edited March 23

    They're not suggesting to get the admin password, but the use the hash of the root or administrator password. If you have root access to the machine, you can simply cat out the shadow file to get it, even if you don't necessarily need the root password to root the machine. I don't know where to find that hash on a windows system, but should just be a quick Google search to learn that, I guess....

  • edited March 23
    I think HTB should let us submit our writeups, which can be seen whenever anyone owns root for the machine. Just like what they are doing for retired machines but now even for owned machines!

    Just like vbscrub described above...
  • @nyckelharpa said:

    They're not suggesting to get the admin password, but the use the hash of the root or administrator password. If you have root access to the machine, you can simply cat out the shadow file to get it, even if you don't necessarily need the root password to root the machine. I don't know where to find that hash on a windows system, but should just be a quick Google search to learn that, I guess....

    While this would be a better alternative (for boxes where it is possible to do this and it doesnt break the box early - remember, RE you pretty much have admin access to get the user flag, the root flag is harder to get), from HTB's point of view it doesn't really solve the sharing problem. People can just share the hash then read the writeups and get the flag.

  • Type your comment> @TazWake said:

    @nyckelharpa said:

    They're not suggesting to get the admin password, but the use the hash of the root or administrator password. If you have root access to the machine, you can simply cat out the shadow file to get it, even if you don't necessarily need the root password to root the machine. I don't know where to find that hash on a windows system, but should just be a quick Google search to learn that, I guess....

    While this would be a better alternative (for boxes where it is possible to do this and it doesnt break the box early - remember, RE you pretty much have admin access to get the user flag, the root flag is harder to get), from HTB's point of view it doesn't really solve the sharing problem. People can just share the hash then read the writeups and get the flag.

    Not to distract from the actual conversation here, but I'm confused by the idea that you needed admin access to get the user flag on RE. I'd be really curious to hear how you solved, if you don't mind reaching out.

  • @TazWake said:
    While this would be a better alternative (for boxes where it is possible to do this and it doesnt break the box early - remember, RE you pretty much have admin access to get the user flag, the root flag is harder to get), from HTB's point of view it doesn't really solve the sharing problem. People can just share the hash then read the writeups and get the flag.

    Sorry, can't say anything about RE, haven't done it yet.

    And yeah, it doesn't solve HTB's problem at all. But to be honest, I personally think it is a none-problem. If people want to cheat, they will always find a way. And in the end they are cheating themselves. This website is (at least in my opinion) mainly an opportunity to learn and not to gather points... and if you don't want to learn, then you're only wasting your own time.

    Still, rotating the flags seems like a reasonable idea to discourage "easy cheating", like when you're frustrated or so. And at least after sharing the hash you would still have to complete the steps of a walkthrough and maybe at least learn a little bit...

  • @0xdf said:

    Not to distract from the actual conversation here, but I'm confused by the idea that you needed admin access to get the user flag on RE. I'd be really curious to hear how you solved, if you don't mind reaching out.

    Its a retired box so it's not so really a spoiler now. You dont need admin to get the user flag but when you are running as NT AUTHORITY\SYSTEM, you cant read the root flag. You can get the admin password hash easier than you can get the root flag - which was the clumsy point.

    @nyckelharpa

    But to be honest, I personally think it is a none-problem. If people want to cheat, they will always find a way. And in the end they are cheating themselves. This website is (at least in my opinion) mainly an opportunity to learn and not to gather points... and if you don't want to learn, then you're only wasting your own time.

    I totally agree with this.

  • I would like to expand on VbScrub's idea for people wanting to use their blog.
    We could still have in place the same root flag string to unlock the write-ups, but each box and for each reset, the flags will have some extra random hex _string to be submitted to the platform.

  • Expanding on @d4rk3r 's idea, perhaps they could implement a system such that when you submit your root flag, you then get access to a special hash from HTB that is specific to that machine. It still has the same risks as before, but this way HTB can regulate who they give it to?

    TL;DR: have HTB give people the hash to people who own it instead of having it readily available on the compromised machine.

    ChefByzen
    If I helped you out at all, feel free to click my badge and give +1 respect!

  • Type your comment> @ChefByzen said:

    Expanding on @d4rk3r 's idea, perhaps they could implement a system such that when you submit your root flag, you then get access to a special hash from HTB that is specific to that machine. It still has the same risks as before, but this way HTB can regulate who they give it to?

    TL;DR: have HTB give people the hash to people who own it instead of having it readily available on the compromised machine.

    Yeah that would work. Just have it give you a new special code/hash when you submit a valid root flag. Then that special code can be used to unlock write ups etc but it doesn't actually work as a flag to be submitted

  • Got a PM from a moderator saying they already suggested what we should do for write ups in the original article about these changes. But that doesn't seem to solve any of the issues TazWake brought up, and the fact that the Github page where most write ups were posted is now saying they won't accept any write ups for live machines due to the new changes :/

  • edited March 23

    something like

    [email protected]:~# ls
    root.txt
    writeup.txt

    [email protected]:~# cat root.txt
    89djjddhhdhskeke...........

    [email protected]:~# cat writeup.txt
    5hy7jkkhkdlkfhjhskl..........

  • we get a notification on our profile when we root, they could add a special flag each time we get root only for writeups

    peek

  • Type your comment> @malwarepeter said:

    something like

    [email protected]:~# ls
    root.txt
    writeup.txt

    [email protected]:~# cat root.txt
    89djjddhhdhskeke...........

    [email protected]:~# cat writeup.txt
    5hy7jkkhkdlkfhjhskl..........

    This idea looks good!

    I was thinkig to add the random value just to a part of hash, so with that we can use the non random part to add encryption to our writeup.

    ++++++++++++++++++++++++++++++++++++++++++++++++++

    Str0ng3erG3ek

    +respect me if I helped you :}

  • About the idea with the Administator password hashes... does anybody know what to use on Windows machines/where to find the hash? As far as I understand, it's in the SAM file that can only be accessed when the system is not booted up...?

  • @nyckelharpa said:
    About the idea with the Administator password hashes... does anybody know what to use on Windows machines/where to find the hash? As far as I understand, it's in the SAM file that can only be accessed when the system is not booted up...?

    On a running machine, it can be accessed via Volume Shadow Services, but it's a tad bit impractical. Especially here on HTB, where some machines get reset at a 2 minute interval :D


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • One of the problem as well is that writeups are also stored on github.com. I am not sure if they still are, but I saw it like a half year ago. They're uploaded in a .pdf format, but in order to read you're prompted to enter password - i.e root flag.

    Seems like writeups are going to be removed from github if we go this way. And yeah, it's good to synchronize writeups only with this site, fairly. Check if a user has rooted a box and give them access to read it. It's pretty simple, no reasons to make hysterical threads here.

  • @malwarepeter said:
    something like

    [email protected]:~# ls
    root.txt
    writeup.txt

    [email protected]:~# cat root.txt
    89djjddhhdhskeke...........

    [email protected]:~# cat writeup.txt
    5hy7jkkhkdlkfhjhskl..........

    And again - writeup hashes are the same for everyone.

  • Type your comment> @ion0x0 said:

    @malwarepeter said:
    something like

    [email protected]:~# ls
    root.txt
    writeup.txt

    [email protected]:~# cat root.txt
    89djjddhhdhskeke...........

    [email protected]:~# cat writeup.txt
    5hy7jkkhkdlkfhjhskl..........

    And again - writeup hashes are the same for everyone.

    yes with my idea... writeup.txt it contain static hash that will be used to unlock any writeups... but root.txt will still be dynamically... problem solved

  • Type your comment> @ion0x0 said:

    One of the problem as well is that writeups are also stored on github.com. I am not sure if they still are, but I saw it like a half year ago. They're uploaded in a .pdf format, but in order to read you're prompted to enter password - i.e root flag.

    Seems like writeups are going to be removed from github if we go this way. And yeah, it's good to synchronize writeups only with this site, fairly. Check if a user has rooted a box and give them access to read it. It's pretty simple, no reasons to make hysterical threads here.

    yeah that's literally the entire point of this thread lol

  • edited March 25

    Type your comment> @malwarepeter said:

    Type your comment> @ion0x0 said:

    @malwarepeter said:
    something like

    [email protected]:~# ls
    root.txt
    writeup.txt

    [email protected]:~# cat root.txt
    89djjddhhdhskeke...........

    [email protected]:~# cat writeup.txt
    5hy7jkkhkdlkfhjhskl..........

    And again - writeup hashes are the same for everyone.

    yes with my idea... writeup.txt it contain static hash that will be used to unlock any writeups... but root.txt will still be dynamically... problem solved

    The main problem is that users share root flags with some people, which in turn use these flags in order to open writeups. It can be used by rogues. "You haven't even started doing the machine, but you have already been given a writeup".

  • Type your comment> @ion0x0 said:

    Type your comment> @malwarepeter said:

    Type your comment> @ion0x0 said:

    @malwarepeter said:
    something like

    [email protected]:~# ls
    root.txt
    writeup.txt

    [email protected]:~# cat root.txt
    89djjddhhdhskeke...........

    [email protected]:~# cat writeup.txt
    5hy7jkkhkdlkfhjhskl..........

    And again - writeup hashes are the same for everyone.

    yes with my idea... writeup.txt it contain static hash that will be used to unlock any writeups... but root.txt will still be dynamically... problem solved

    The main problem is that users share root flags with some people, which in turn use these flags in order to open writeups. It can be used by rogues. "You haven't even started doing the machine, but you have already been given a writeup".

    well but if that the problem then ,,, their target is to destroy writeups while a machine is active nothing more but if not then a separated writeups hash is the answer

  • @ion0x0 said:

    The main problem is that users share root flags with some people, which in turn use these flags in order to open writeups. It can be used by rogues. "You haven't even started doing the machine, but you have already been given a writeup".

    I think everyone gets that. It's clearly stated by HTB. The issue for this thread is how to protect the individual write-ups that people make.

    There are lots of legitimate reasons for this and a massive learning value from making the write-up, getting feedback on the write-up and from seeing how other people complete a box.

    For some people (me at least), this 75% of the value from HTB. Waiting until a box retires then getting to see how others did it kind of undermines the value, because 3 - 4 months after I've attempted a box, I've lost a lot of the motivation/memory around decisions.

    It also means a lot of people will no longer get any feedback on a box because most people will go for the official write up / ippsec video.

    It seems this will kill people trying to legitimately share write-ups for peers but won't do a thing to people selling write-ups or sharing for other reasons.

  • edited March 25

    Guys, a legitimate way to protect the write ups was already proposed by HTB. Use the hash of the root/Administrator user, meaning the hash of LOGIN password that you would need to legitimately log in to the box, not the hash in root.txt.

    For linux boxes, use the hash of the root password. If you are root on the box, just cat out the shadow file and you have it.

    For windows boxes, I realized after my last comment that you can use the hashdump command of a meterpreter shell to get the hashes of the Administrator password. If you have root access to the box, you should also be able to get a meterpreter shell going. Although that's not super practical. Maybe someone else knows a better way?

    Having an extra static writeup.txt on the box would be easier and more comfortable, I agree. But at least on Linux boxes there steps you need to take to get a working password aren't any more difficult than opening a writeup.txt ...

  • edited March 25

    Type your comment> @nyckelharpa said:

    For linux boxes, use the hash of the root password. If you root on the box, just cat out the shadow file and you have it.

    Sorry for breaking your trolling attempt but passwords in shadow file are salted, and not always you can crack them.

    Edit: Oh, you said "hash", I missed it. Sorry, lol. So yeah, that's better.

  • edited March 25

    Yeah, no need to crack them, just use the hash. Also that is not my idea, it is what the guys of Hack The Box themselves suggest: https://www.hackthebox.eu/press/integrity-of-hack-the-box

  • @nyckelharpa read the replies in this thread. Sometimes you get the root.txt file without getting the administrator password hash

  • edited March 25

    {}

  • @nyckelharpa said:

    Guys, a legitimate way to protect the write ups was already proposed by HTB. Use the hash of the root/Administrator user, meaning the hash of LOGIN password that you would need to legitimately log in to the box, not the hash in root.txt.

    Like @VbScrub said, this doesn't solve the boxes where you dont get a root shell or boxes (like RE) where getting Admin / Root creds isn't the end of the journey.

    The problem has no easy solution. The only consistent proof a box has been owned is the root flag. If anything else was consistently usable, we wouldn't need the root flag in the first place.

Sign In to comment.