On the quality of recent boxes...

yeah boxes like reel don’t come by often anymore … we get ■■■■ like bighead or now, chaos booo

@rotarydrone said:
What really should be done about this? If you expect any action to be taken on this perceived problem besides hoping that users stop with these submissions, this gets us nowhere. Maybe we should formally define what a “CTF-like” machine is and propose that the mods not approve machines with those characteristics. Or, do we propose that these machines should be scored differently or not at all?

Thanks for the response. I don’t know what the solution is or should be. I don’t have all the answers, and I’m not the brightest bulb in the pack, nor do I pretend to be. That’s why I made this thread; I want everyone to weigh in. A combination of submitted boxes being more realistic and the acceptance criteria being more strict would, indeed, be a good starting point, I think.

@rotarydrone said:
I don’t disagree with most of the concerns in this post, but I think there is still a place for these types of boxes on the platform. It’s not they are of poor quality or lack creativity, just that they don’t always align well with practicing real world skills in real world scenarios.

There absolutely is a place for them. That’s why I said that having one every now and again was a good thing. I just think it’s become far too commonplace.

@rotarydrone said:
Even the CTF oriented boxes still require at least a fundamental set of skills to enumerate and exploit, be it through a long winded set of CTF challenges packaged as a single machine, or through making educated guesses about where to look next. These approaches seem tedious, but these boxes often contain enough of a narrative to guide you from step to step or help you make the right guesses to navigate the overall challenge (perhaps combined with a little out of the box thinking). This is true for some, but obviously not all.

Agreed on all points, for the most part.

@rotarydrone said:
In any case, it’s not like there is absolutely nothing to gain from these boxes ; there is, but the skills may not be all that practical in most non-CTF situations. Writing a decryption method for a custom encryption or steg tool is probably not going to have many real world applications for most of us… but it can still be fun, if you’re into that sort of thing. Not everyone enjoys it and sometimes it can be kind of shitty. Some people love it. A bit like ■■■■.

Again, agreed. It can be tons of fun. I loved the ■■■■ out of Mischief, for example. I know some people hated it. That comes down to individual preference, really. My main gripe/argument is that this unrealistic, trolly content is becoming the norm rather than the exception. When you’ve been slogging away at hyper-realistic machines for weeks, the lighthearted CTF boxes are a welcome change of pace. I have no argument there at all.

When you’re hoping to learn something besides try-the-most-obvious-BS-in-the-world-as-the-password and you come up empty handed, week after week, it starts to become a little bit ridiculous.

@rotarydrone said:
I’ll be the first to admit, if I encounter a box I suspect is going to be too CTF-like, I’ll back down because its just not my style. I don’t have much free time, so I want the time I spend on here to be a valuable learning experience and not a calamity of guessing my way to root. I don’t like ■■■■. With that said, not all of the boxes with those elements are bad. The most recent box which seems to have crawled up most everyone’s asses, really only had a couple of CTF like situations. The actual exploitation method to gain a foothold and obtain root were very reasonable and realistic IMO, and the CTF challenges in between served more as narrative than technical challenges to me. I’ve seen some posts and in Mattermost complaining about certain parts of this box being too CTF-like when those parts were actually the least bit like it, but I suppose its easier to jump on the #GuessTheBox bandwagon than admit you overlooked something or didn’t know how to use a tool properly.

Indeed. It’s easy to become frustrated and sling ■■■■ when it isn’t warranted, which is why I avoided naming specific authors or boxes. Regarding the #GuessTheBox thing, I’ve never actually seen anyone besides myself use that and, admittedly, I mostly use it when I’m frustrated with silly CTF elements, so if that was directed at me then point taken, but I stand behind it.

@rotarydrone said:
I think there is a legitimate reason to be concerned with the quality of these boxes as it pertains to practicing and learning real skills, but I don’t think that means they should be kicked away or shunned completely. Profanity ridden and seemingly butthurt about this situation, I don’t disagree with you on this problem.

No, they absolutely shouldn’t be kicked away or shunned completely and I didn’t mean to imply that at all. As far as my post being profanity ridden goes, that’s just the way that I talk (type?). Maybe I should dial it down a bit, I don’t know. But I didn’t mean for it to come across as, “I’M SO ANGRY LOOK AT ME SWEARING ■■■■ YOU ALL!”. Regarding me being butthurt, you’re 100% on point with that. The last couple of boxes have had me buttblasted into outerspace.

@rotarydrone said:
What I do disagree with is complaint without recommendation, as it does nothing to benefit the community. That’s just called bitching.

Yes, I am bitching, but it’s not without reason. I addressed my lack or recommendations at the top of this post. I’m not in control. I’m not a mod. I’m not a box maker. I can’t do anything besides “■■■■■” about a problem that I’m observing.

Again, though, thanks for the response.

Maybe add a category column in the box listing and assign CTF or Real-World value to boxes that come out. Try to release a box of each category weekly? I too don’t enjoy the CTF boxes much. I did 30 days of Offshore and let me tell you, I learned a lot and enjoyed that a lot more than doing CTF boxes.

@opt1kz said:
A goofy, trolly, CTF-style box to shake things up is all well and good and, quite frankly, even expected every now and again, but that seems to be all there is anymore. This platform is quickly becoming a race to the bottom of who can come up with the stupidest bullshit imaginable.

So how about I have a go? This is my idea for a box:

The only way to gain a foothold will be by watching a three hour My Little Pony dubstep mashup, translating every animated blink into binary to reconstruct an SSH key that will let you login to a jail that only lets you run “echo”. From there you’ll have to CTF your way out of 17 Docker instances until root.txt finally tells you to extract the LSB’s of the last frame of the original video in order to reconstruct your root flag.
ARE YOU GUYS READY FOR THE LULZ?! ■■■■ YOUR EDUCATION! MY EGO MUST BE SATED! I’M SO EPIC! DAB FORTNITE DANCE DAB

10/10 lol

It’s been quality CTF. I mean when I have to search though multiple “image” files to find a text file with a PW to login. Or extracting a “hash” from somewhere and spending time to crack it, only to find out the “hash” is in fact a password for the account elsewhere. Thats awesome CTF because it just DOESN’T happen in the REAL world. HTB get its time to REAL.

@meni0n said:
Maybe add a category column in the box listing and assign CTF or Real-World value to boxes that come out. Try to release a box of each category weekly? I too don’t enjoy the CTF boxes much. I did 30 days of Offshore and let me tell you, I learned a lot and enjoyed that a lot more than doing CTF boxes.

I like the idea of categorizing by CTF / Real-World.

Adding nothing to the conversation except for, I’m trashy too. All of my sec colleagues are ‘trashy’ too. I doubt we get many sentences out without a swearword. It’s lame that people see that as anger, it’s passion and honesty. (Normally you can trust someone who swears a lot more, they have less filters - READ: More Honest, but not necessarily a good people)

Anyway, I haven’t got a paid sub yet, but I intend to when I’m done with all the free stuff, it seems as if the enterprisey stuff is hidden there.

100% agree with all of this. I don’t think anyone wants replicas of OSCP machines but honestly there are so many 0days out there and new software and techniques to explore. It’s okay if your box isn’t “super-ninja-elite-CTF-shitfest” (looking at you BigHead).

Top boxes so far that are pretty ■■■■ awesome in terms of real-world:

RedCross - Contains solid simulated admin interaction with actual breadcrumbs obtained by exploiting other weakness (not just rabbit holes).

Teacher - Real-world web app exploit with some solid cred reuse.

Vault - Awesome pivoting exercise

Reel - as mentioned above, absolutely wicked box with real-world implications.

Irked - A head-fake CTF box that doesn’t require any CTF at all, but you could if you wanted to. Great software to box pivot.

Giddy - One of those 0day “out of the box” hack that reflects a real world scenario. It’s obscure, sure, but you learned something neat.

Dropzone - This is probably the most creative “easy” box. Take a system that hasn’t been patched since release but use risk mitigation controls so only a single exploit works on it. This is an outstanding example of the cross between what a CISSP does and what a pentester goes after (attempted minimize risk by closing everything but it was still vulnerable).

Active - Solid introduction to a well-known toolkit that targets Windows.

@opt1kz I like that you’re trying to start this discussion. The point isn’t to complain or bash anyone or their creations, it’s to highlight the issue and (hopefully) come up with a solution, and I think this thread, if used properly, could help us brainstorm as a community.

A little Devil’s advocate here, for the sake of progressing this topic to a point where we can agree on a solution:

A large part of the problem is that we haven’t really had that before. People want to create machines because it’s a learning experience for them and they think it will be fun, or because they think they have interesting and unique ideas, etc. Unfortunately, we’ve never had an HTB poll about what we would actually want to see in a box.

Since creators are basically guessing at what people want, or aren’t even thinking about what other people want simply because the thought never really crossed their minds, some people are bound to be disappointed in some of the products they create. Yes, we’re here learning for free, but these people are also creating our learning materials for free. The people who take time out of their day to learn and create these machines for us aren’t perfect, so naturally, sometimes they’re just going to miss the mark, and I think that’s okay.

I think a large part of this too is that a lot of creators are perhaps on the less-experienced side. There’s nothing wrong with this, I think creating a machine is probably a really useful learning experience. Unfortunately, the end result might not be as well-refined as some might like.

But I digress. What it really comes down to is this: If we’re not offering up a solution, then we’re just complaining. I think if more experienced people, such as yourself, would create the machines, the overall product would be better and people would generally be happier. Also, maybe we should have a site-wide poll run by the admins. I know personally, I’d really love to see more exploit development and custom scripting stuff in machines (but maybe I’m biased because those are weaknesses of mine that I want to improve on). I think we can all agree that we generally would like to avoid click-and-run exploits, msf modules, and vulnerabilities that require me to search for some really obscure tool to be able to exploit.

I’d also like to say that I agree with pretty much everything you said. This isn’t meant to bash you or anyone else for their opinions, it’s meant to continue a discussion that I think is going to be incredibly valuable for our community, so I hope it doesn’t come across as too accusatory.

Im new here compared to a lot of you people, so i might be wrong, but i interpreted the reason for this as universities are near winter break, and CTF contests are about to start because of this. So HTB is releasing more CTF boxes from the submission pool.

@evandrix said:
yeah boxes like reel don’t come by often anymore … we get ■■■■ like bighead or now, chaos booo

■■■■ like Bighead? IMO Bighead is one of the best boxes both quality and difficulty wise…

@PT3 said:
It’s been quality CTF. I mean when I have to search though multiple “image” files to find a text file with a PW to login. Or extracting a “hash” from somewhere and spending time to crack it, only to find out the “hash” is in fact a password for the account elsewhere. Thats awesome CTF because it just DOESN’T happen in the REAL world. HTB get its time to REAL.

Full on agreed about the first point, but to be honest, if i understand the box you are talking about correctly(lw?), you should have guessed there wouldnt be a hashed password in the login request

In some terms I agree. Some boxes have some pretty dumb solutions, but even the ones where you only learn 1 or 2 new things are worth it, I think you are forgetting HTB is a FREE resource. You can’t come to a free resource and demand they make better content. If people pay for vip it is because they want faster machines, but either way, it CAN be used without any loss (in this case money).
I would LOVE to see more real world boxes don’t get me wrong, but they also need to post a weekly box, which is alot of work considering the amount they need to go through if you expect to hand pick the most realistic one…

@opt1kz said:
Edit: Fair warning, there is profanity ahead. Several people have brought it to my attention. Maybe I’m just trashy, but it’s just the way that I talk/type. I apologize. If you’re not used to profanity and you read my thread, dial down your assumptions regarding how upset I am by about 400%.

First of all, I’m not going to be calling out specific authors or specific boxes in this thread. I’m trying to start a discussion about a real (as I perceive it) issue rather than starting a flame war. So, as much as I’d like to tell some people to go ■■■■ themselves, getting myself banned and/or this thread removed in the process, I’m going to attempt to refrain from doing so, as should you.

Having said that…

Many of the recent boxes suck. Full stop. There are tidbits of knowledge to be gleaned from them here and there, so they’re not completely useless, but by and large this platform has turned into a massive, CTF-oriented, first blood wankfest with very little substance and very few learning opportunities.

I can only speak for myself, but I’m here to learn and to improve my real world skills. Boxes that actually put those skills to the test and force me to adapt and learn new things are a dream come true and I absolutely love them. I’ve only been here for a few months so I can’t comment on most of the retired boxes, but as a recent example of what I’m talking about: Reel. Reel was fucking phenomenal.

Sadly, boxes like that are few and far between. Even the “hard” boxes of late aren’t hard in the sense that they’re locked down and realistic, but because the maker wants to troll for attention, intentionally frustrate people and shitpost memes in the hints thread. It is incredibly frustrating and, honestly, downright fucking obnoxious.

I’m sorry that this is going to offend some people and cause them to feel disrespected, but it’s the truth. I don’t care how many months you spent putting your CTF shitshow together. At the end of the day people are here trying to learn – and, in many cases, PAYING MONEY to do so – and you are actively fucking with that process “for the lulz”.

A goofy, trolly, CTF-style box to shake things up is all well and good and, quite frankly, even expected every now and again, but that seems to be all there is anymore. This platform is quickly becoming a race to the bottom of who can come up with the stupidest bullshit imaginable.

So how about I have a go? This is my idea for a box:

The only way to gain a foothold will be by watching a three hour My Little Pony dubstep mashup, translating every animated blink into binary to reconstruct an SSH key that will let you login to a jail that only lets you run “echo”. From there you’ll have to CTF your way out of 17 Docker instances until root.txt finally tells you to extract the LSB’s of the last frame of the original video in order to reconstruct your root flag.

I’m sure it will be rated 10/10 and instantly approved. It will probably even award you a badge for being such an elite cyber ninja! Then when everyone in the hints thread is basically telling me to go ■■■■ myself for being a trolly shithead and doing nothing but shitposting memes, I’m going to get all offended and passive aggressively whine about how nobody appreciates my hard work.

ARE YOU GUYS READY FOR THE LULZ?! ■■■■ YOUR EDUCATION! MY EGO MUST BE SATED! I’M SO EPIC! DAB FORTNITE DANCE DAB

Seriously, though… Enough is fucking enough.

  • +1 not 100% on the sentiment but yes! learning to hack is not doing silly puzzles, if we want to do puzzles we buy a puzzle book, hacking is not about been a detective like sherlock homes unless you want to do blue teaming, but thats not hacking, but learning all about technology to the point you can find/fix/circumvent issues and chain them together to get to that same objectives. Stop the challenges types of boxes but give us real networks and real software bugs. I do not need to stare at a pic for 100 minutes to find a silly password, makes no sense. one of the reason I like pentestit.ru is because they replicate real networks(most of the times)

I totally agree.

The last ones that were added were completely CTF-Like, with some realistic snippets.

I solved all of them and gave “like” in the end, because I still understand all the boxes as a great contribution to this platform, which as already said, is free.

But I would just like to leave here my disappointment as to some ways to reach user / root. Things like “guess the password for that thing, it’s right in front of your nose,” and you have to literally search the page and source for the password. Guys… please… hahaha. Use a default password or something, I still think it’s “okay,” but look for stuff in the source code? Search for text messages in an IMAGE?

I think 80% of the boxes available are VERY GOOD, with good ideas. Even a box that involves a lot of “guessing”, have very good parts. However, this topic is still very pertinent, since the last boxes that have been added are getting a lot of ‘dislike’ (Look Teacher and Chaos). And the reasons are obvious …

Just my 2 cents. :slight_smile:

There can quite easily be an opportunity for the platform maintainers to introduce a tagging aspect to box creation. Is this a ‘real world’ scenario or is it a CTF fantasy?

People use the platform for differing reasons. Some want to create boxes that are either fun or educational and the same goes for those wanting to solve them.

Some people are looking for interesting puzzles and others for an education.

That should be considered.

If boxes are tagged by creators and then checked by moderators it should be entirely possible for users to filter on what best suits them.

Personally I am here to learn and I too find it frustrating when I am having to deal with wildly unrealistic web apps. Don’t just leave bullshit in source on the page and try and pass that off as a lesson in reading source code.

We fucking get it.

If you’re going to do that, do something cool like in Waldo where there is code to read and enumerate. Not some ■■■■ image that has a steg message in it. What real world scenario has that?

I like the idea of separating between “real-world” and “CTF” boxes. Anyway one thing no one really mentioned here is the fact, that every box went through the validation process of HTB. So creator and the testing team of HTB shoud maybe think about before they approve/submit a box.

I can see where you’re coming from but I like boxes that need a bit extra enum and I enjoy the puzzles, unless it’s steg… I fkn hate steg.

But real world is not puzzles. It’s bad code, misconfiguration, old/unpatched software. Leveraging phishing, SQLi, RCE like that on Waldo.

Not some esoteric puzzle.

There needs to be a separation of states

@FlameOfIgnis said:

@PT3 said:
It’s been quality CTF. I mean when I have to search though multiple “image” files to find a text file with a PW to login. Or extracting a “hash” from somewhere and spending time to crack it, only to find out the “hash” is in fact a password for the account elsewhere. Thats awesome CTF because it just DOESN’T happen in the REAL world. HTB get its time to REAL.

Full on agreed about the first point, but to be honest, if i understand the box you are talking about correctly(lw?), you should have guessed there wouldnt be a hashed password in the login request

There would be in this kind of login request. It’s a clear text protocol and thats how it works. The pw in not passed in clear text. But then again I always use the hash of my pw as a pw somewhere else cause it’s just cool and so easy to remember.