[Feature Request] Unlockable Forums for Each machine via root.txt hash

I saw in one of the Bashed threads a recommendation that I thought was really good and wanted to bring up specifically as a recommendation / request.

Currently, besides private messages between users, there is no way to safely discuss an of the solutions found on active machines and there is no way to know if we are not accidentally spoiling something for a user.

The recommendation which I saw was that once you unlock the root.txt hash, you can either unlock using this hash or automatically have unlocked a forum specifically for users who have rooted the machine. In here would be a great opportunity to discuss different solutions, techniques we used to actually get root, and ask questions about why things worked the way they did.

Thoughts?

Hack The Box

Tagged:

Comments

  • Saw the same post and thought the idea was brilliant. I think it would be great to have a place other than DM's to discuss the box openly and to add depth to our learning! Huge +1 from me for this feature.

    andrewh

  • I too agree with this
    +1 from my side too

    CodeNinja

  • that thing exists on root-me challenges

    peek

  • Great idea, and it's being thought about. Just not as easy to implement as it sounds. As always the easiest sounding things, turn out to be the hardest :).

    Sure it isn't hard to just make a private section for each machine, and add users to groups. However, think in the future when users are members of 100+ groups and it takes an ungodly amount of database queries to generate a page.

    Other ways to do it, just need time to think so it's implemented in a scalable way. Making architecture changes to active forums is a nightmare, so doing it a "hackish" way the first time isn't a good option.

  • edited December 2017

    @ippsec said:
    Great idea, and it's being thought about. Just not as easy to implement as it sounds. As always the easiest sounding things, turn out to be the hardest :).

    Sure it isn't hard to just make a private section for each machine, and add users to groups. However, think in the future when users are members of 100+ groups and it takes an ungodly amount of database queries to generate a page.

    Other ways to do it, just need time to think so it's implemented in a scalable way. Making architecture changes to active forums is a nightmare, so doing it a "hackish" way the first time isn't a good option.

    This is my idea about this feature: https://forum.hackthebox.eu/discussion/comment/2204#Comment_2200
    In this case it requires more efforts to make a "forum structure" of that section. In the forum case, as you said, there isn't a lot of work to do to make a private section.

    Here my thoughts about an hybrid solution. I think that it's simple to check if a machine is owned.

    • The private section is protected by the root hash.
    • From the htb home there is an hyperlink that points to a private section, with the root hash as "parameter".
      So if the user owned the machine the hyperlink points to the machine section with the correct hash. I don't think that there is a lot of efforts:

    • The forum is already here and a private section capabilities is simple to create.

    • The user's owned machines are already stored.
    • The correct hash is already stored.

    Potentially, in this way, there could be the possibility to make, arbitrary, protected sections. Nonetheless I don't find this one as interesting.

    r7f5

  • +1

    For the mean time you could just use the hash from root.txt to pgp encrypt your solution.
  • Yep. Something like that @r7f5 - The issue I have with that solution is there is nothing preventing users from sharing links and I don't like root hash being apart of a common URL.

    I was thinking more along the lines of a shared JWT cookie between HTB and Forums that would have expiration time in the cookie itself. So that way there is no magical static content that permanently gives access to the thread. The Main Page has a way to tell the forums what machines a user has compromised and won't require any database calls. Of course, there'd be some type of signing such as HMAC to prevent modification of cookies.

    That being said. I'm not a coder, so I'm not positive if that's the best solution. I'm sure something will be done but not anytime in the immediate future. I doubt there is anyone crazy enough to do a quick deployment over the holidays.

  • @ippsec said:
    Yep. Something like that @r7f5 - The issue I have with that solution is there is nothing preventing users from sharing links and I don't like root hash being apart of a common URL.

    I was thinking more along the lines of a shared JWT cookie between HTB and Forums that would have expiration time in the cookie itself. So that way there is no magical static content that permanently gives access to the thread. The Main Page has a way to tell the forums what machines a user has compromised and won't require any database calls. Of course, there'd be some type of signing such as HMAC to prevent modification of cookies.

    That being said. I'm not a coder, so I'm not positive if that's the best solution. I'm sure something will be done but not anytime in the immediate future. I doubt there is anyone crazy enough to do a quick deployment over the holidays.

    :+1: Yeah, I agree, I wrote parameter between quotes because of this, obvious, drawback.
    I also thought to JWT but I never used it. So I don't know how the sharing/interaction could happens. However I read, from the RFC, that JWT supports signing with encapsulation in a JWS.

    r7f5

  • edited December 2017

    +1

    Nutellack

  • edited December 2017

    +1
    I have a question about Inception even though I completed it that I would love to understand more about. This could help with that kind of thing I believe. BUT IT IS SUPER HARD TO IMPLEMENT CORRECTLY like some have already said.

  • @JoeDev said:
    +1
    I have a question about Inception even though I completed it that I would love to understand more about. This could help with that kind of thing I believe. BUT IT IS SUPER HARD TO IMPLEMENT CORRECTLY like some have already said.

    You can PM me.

    likwidsec

Sign In to comment.