An investigation into (live) walkthrough

edited April 23 in Writeups

Now i use the term 'investigation' loosely but like many of you, i enjoy the walkthrough's of retired machines posted by the genius that is ippsec as i always learn something.

Whilst its tempting to name and shame the users i'll be mentioning below like some sort of HTB vigilante, i thought i'd keep it anonymous for now.

Whilst watching ippsec's 'Mango' walkthrough, i noticed in the suggested videos column a walkthrough of what still is a live machine - Monteverde.

I had a quick look at this users channel which showed at the time 10 walkthroughs posted (some live, some retired). Although now removed, their HTB profile was also linked (error) in their 'about' page.
I reported this user to support and was told "it will be reported internally to the evaluation team and will be looked into." Over 7 days later, the same user then posts the walkthrough of 'Magic.' Looking through the comments, a challenge flag was also shared via these means. Not much of an investigation required there with the users profile previously linked.

It was at this point, another video of 'Magic' (user has over 2k subscribers) that was posted yesterday, appeared in the suggested column.
Looking at this channel, it was the only box walkthrough. There is however an invite code walkthrough as well as one retired challenge.

Unfortunately, the user had taken a bit more care to hide their identity. At this point all i had to go on was a country of origin.

However, i thought i'd give it a go and scrutinised every part of the screen recording to see if they slipped up anywhere. Thankfully, (and if it weren't for this its unlikely i would have succeeded (spoiler)), they did.
Out of the corner of my eye i noticed the blurred out username on the HTB site partially slip for a fraction of a second. All i was able to ascertain were two characters. But that was that was needed.

Thankfully, it was two characters that were not particularly common. A bit of manual brute forcing checking through profiles and 10 minutes later, it lit up like a christmas tree. The only one to have completed 'Magic,' the same coloured avatar, the same country of origin. Bullseye.

I sent all this to support again, hoping for them to remediate this properly however, i'll have to wait and see what happens this time.

Rule 7 is there for everyone. Don't get me wrong, i've needed plenty of nudges and have been pulling my hair out plenty of times when i'm out of my depth as i'm well aware there is SO much i don't know, but my integrity would never allow me to straight up cheat.
I'm also aware not everyone has the same moral standards, but never the less, i dont feel like it should be down to individuals self discipline to not cheat. HTB needs to take rule 7 seriously when it comes to walkthrough's of live boxes.

Out.

EDIT: Hindsight, i suppose this should have been posted in off-topic instead.

Sign In to comment.