On the quality of recent boxes...

Maybe add a category column in the box listing and assign CTF or Real-World value to boxes that come out. Try to release a box of each category weekly? I too don’t enjoy the CTF boxes much. I did 30 days of Offshore and let me tell you, I learned a lot and enjoyed that a lot more than doing CTF boxes.

@opt1kz said:
A goofy, trolly, CTF-style box to shake things up is all well and good and, quite frankly, even expected every now and again, but that seems to be all there is anymore. This platform is quickly becoming a race to the bottom of who can come up with the stupidest bullshit imaginable.

So how about I have a go? This is my idea for a box:

The only way to gain a foothold will be by watching a three hour My Little Pony dubstep mashup, translating every animated blink into binary to reconstruct an SSH key that will let you login to a jail that only lets you run “echo”. From there you’ll have to CTF your way out of 17 Docker instances until root.txt finally tells you to extract the LSB’s of the last frame of the original video in order to reconstruct your root flag.
ARE YOU GUYS READY FOR THE LULZ?! ■■■■ YOUR EDUCATION! MY EGO MUST BE SATED! I’M SO EPIC! DAB FORTNITE DANCE DAB

10/10 lol

It’s been quality CTF. I mean when I have to search though multiple “image” files to find a text file with a PW to login. Or extracting a “hash” from somewhere and spending time to crack it, only to find out the “hash” is in fact a password for the account elsewhere. Thats awesome CTF because it just DOESN’T happen in the REAL world. HTB get its time to REAL.

@meni0n said:
Maybe add a category column in the box listing and assign CTF or Real-World value to boxes that come out. Try to release a box of each category weekly? I too don’t enjoy the CTF boxes much. I did 30 days of Offshore and let me tell you, I learned a lot and enjoyed that a lot more than doing CTF boxes.

I like the idea of categorizing by CTF / Real-World.

Adding nothing to the conversation except for, I’m trashy too. All of my sec colleagues are ‘trashy’ too. I doubt we get many sentences out without a swearword. It’s lame that people see that as anger, it’s passion and honesty. (Normally you can trust someone who swears a lot more, they have less filters - READ: More Honest, but not necessarily a good people)

Anyway, I haven’t got a paid sub yet, but I intend to when I’m done with all the free stuff, it seems as if the enterprisey stuff is hidden there.

100% agree with all of this. I don’t think anyone wants replicas of OSCP machines but honestly there are so many 0days out there and new software and techniques to explore. It’s okay if your box isn’t “super-ninja-elite-CTF-shitfest” (looking at you BigHead).

Top boxes so far that are pretty ■■■■ awesome in terms of real-world:

RedCross - Contains solid simulated admin interaction with actual breadcrumbs obtained by exploiting other weakness (not just rabbit holes).

Teacher - Real-world web app exploit with some solid cred reuse.

Vault - Awesome pivoting exercise

Reel - as mentioned above, absolutely wicked box with real-world implications.

Irked - A head-fake CTF box that doesn’t require any CTF at all, but you could if you wanted to. Great software to box pivot.

Giddy - One of those 0day “out of the box” hack that reflects a real world scenario. It’s obscure, sure, but you learned something neat.

Dropzone - This is probably the most creative “easy” box. Take a system that hasn’t been patched since release but use risk mitigation controls so only a single exploit works on it. This is an outstanding example of the cross between what a CISSP does and what a pentester goes after (attempted minimize risk by closing everything but it was still vulnerable).

Active - Solid introduction to a well-known toolkit that targets Windows.

@opt1kz I like that you’re trying to start this discussion. The point isn’t to complain or bash anyone or their creations, it’s to highlight the issue and (hopefully) come up with a solution, and I think this thread, if used properly, could help us brainstorm as a community.

A little Devil’s advocate here, for the sake of progressing this topic to a point where we can agree on a solution:

A large part of the problem is that we haven’t really had that before. People want to create machines because it’s a learning experience for them and they think it will be fun, or because they think they have interesting and unique ideas, etc. Unfortunately, we’ve never had an HTB poll about what we would actually want to see in a box.

Since creators are basically guessing at what people want, or aren’t even thinking about what other people want simply because the thought never really crossed their minds, some people are bound to be disappointed in some of the products they create. Yes, we’re here learning for free, but these people are also creating our learning materials for free. The people who take time out of their day to learn and create these machines for us aren’t perfect, so naturally, sometimes they’re just going to miss the mark, and I think that’s okay.

I think a large part of this too is that a lot of creators are perhaps on the less-experienced side. There’s nothing wrong with this, I think creating a machine is probably a really useful learning experience. Unfortunately, the end result might not be as well-refined as some might like.

But I digress. What it really comes down to is this: If we’re not offering up a solution, then we’re just complaining. I think if more experienced people, such as yourself, would create the machines, the overall product would be better and people would generally be happier. Also, maybe we should have a site-wide poll run by the admins. I know personally, I’d really love to see more exploit development and custom scripting stuff in machines (but maybe I’m biased because those are weaknesses of mine that I want to improve on). I think we can all agree that we generally would like to avoid click-and-run exploits, msf modules, and vulnerabilities that require me to search for some really obscure tool to be able to exploit.

I’d also like to say that I agree with pretty much everything you said. This isn’t meant to bash you or anyone else for their opinions, it’s meant to continue a discussion that I think is going to be incredibly valuable for our community, so I hope it doesn’t come across as too accusatory.

Im new here compared to a lot of you people, so i might be wrong, but i interpreted the reason for this as universities are near winter break, and CTF contests are about to start because of this. So HTB is releasing more CTF boxes from the submission pool.

@evandrix said:
yeah boxes like reel don’t come by often anymore … we get ■■■■ like bighead or now, chaos booo

■■■■ like Bighead? IMO Bighead is one of the best boxes both quality and difficulty wise…

@PT3 said:
It’s been quality CTF. I mean when I have to search though multiple “image” files to find a text file with a PW to login. Or extracting a “hash” from somewhere and spending time to crack it, only to find out the “hash” is in fact a password for the account elsewhere. Thats awesome CTF because it just DOESN’T happen in the REAL world. HTB get its time to REAL.

Full on agreed about the first point, but to be honest, if i understand the box you are talking about correctly(lw?), you should have guessed there wouldnt be a hashed password in the login request

In some terms I agree. Some boxes have some pretty dumb solutions, but even the ones where you only learn 1 or 2 new things are worth it, I think you are forgetting HTB is a FREE resource. You can’t come to a free resource and demand they make better content. If people pay for vip it is because they want faster machines, but either way, it CAN be used without any loss (in this case money).
I would LOVE to see more real world boxes don’t get me wrong, but they also need to post a weekly box, which is alot of work considering the amount they need to go through if you expect to hand pick the most realistic one…

@opt1kz said:
Edit: Fair warning, there is profanity ahead. Several people have brought it to my attention. Maybe I’m just trashy, but it’s just the way that I talk/type. I apologize. If you’re not used to profanity and you read my thread, dial down your assumptions regarding how upset I am by about 400%.

First of all, I’m not going to be calling out specific authors or specific boxes in this thread. I’m trying to start a discussion about a real (as I perceive it) issue rather than starting a flame war. So, as much as I’d like to tell some people to go ■■■■ themselves, getting myself banned and/or this thread removed in the process, I’m going to attempt to refrain from doing so, as should you.

Having said that…

Many of the recent boxes suck. Full stop. There are tidbits of knowledge to be gleaned from them here and there, so they’re not completely useless, but by and large this platform has turned into a massive, CTF-oriented, first blood wankfest with very little substance and very few learning opportunities.

I can only speak for myself, but I’m here to learn and to improve my real world skills. Boxes that actually put those skills to the test and force me to adapt and learn new things are a dream come true and I absolutely love them. I’ve only been here for a few months so I can’t comment on most of the retired boxes, but as a recent example of what I’m talking about: Reel. Reel was fucking phenomenal.

Sadly, boxes like that are few and far between. Even the “hard” boxes of late aren’t hard in the sense that they’re locked down and realistic, but because the maker wants to troll for attention, intentionally frustrate people and shitpost memes in the hints thread. It is incredibly frustrating and, honestly, downright fucking obnoxious.

I’m sorry that this is going to offend some people and cause them to feel disrespected, but it’s the truth. I don’t care how many months you spent putting your CTF shitshow together. At the end of the day people are here trying to learn – and, in many cases, PAYING MONEY to do so – and you are actively fucking with that process “for the lulz”.

A goofy, trolly, CTF-style box to shake things up is all well and good and, quite frankly, even expected every now and again, but that seems to be all there is anymore. This platform is quickly becoming a race to the bottom of who can come up with the stupidest bullshit imaginable.

So how about I have a go? This is my idea for a box:

The only way to gain a foothold will be by watching a three hour My Little Pony dubstep mashup, translating every animated blink into binary to reconstruct an SSH key that will let you login to a jail that only lets you run “echo”. From there you’ll have to CTF your way out of 17 Docker instances until root.txt finally tells you to extract the LSB’s of the last frame of the original video in order to reconstruct your root flag.

I’m sure it will be rated 10/10 and instantly approved. It will probably even award you a badge for being such an elite cyber ninja! Then when everyone in the hints thread is basically telling me to go ■■■■ myself for being a trolly shithead and doing nothing but shitposting memes, I’m going to get all offended and passive aggressively whine about how nobody appreciates my hard work.

ARE YOU GUYS READY FOR THE LULZ?! ■■■■ YOUR EDUCATION! MY EGO MUST BE SATED! I’M SO EPIC! DAB FORTNITE DANCE DAB

Seriously, though… Enough is fucking enough.

  • +1 not 100% on the sentiment but yes! learning to hack is not doing silly puzzles, if we want to do puzzles we buy a puzzle book, hacking is not about been a detective like sherlock homes unless you want to do blue teaming, but thats not hacking, but learning all about technology to the point you can find/fix/circumvent issues and chain them together to get to that same objectives. Stop the challenges types of boxes but give us real networks and real software bugs. I do not need to stare at a pic for 100 minutes to find a silly password, makes no sense. one of the reason I like pentestit.ru is because they replicate real networks(most of the times)

I totally agree.

The last ones that were added were completely CTF-Like, with some realistic snippets.

I solved all of them and gave “like” in the end, because I still understand all the boxes as a great contribution to this platform, which as already said, is free.

But I would just like to leave here my disappointment as to some ways to reach user / root. Things like “guess the password for that thing, it’s right in front of your nose,” and you have to literally search the page and source for the password. Guys… please… hahaha. Use a default password or something, I still think it’s “okay,” but look for stuff in the source code? Search for text messages in an IMAGE?

I think 80% of the boxes available are VERY GOOD, with good ideas. Even a box that involves a lot of “guessing”, have very good parts. However, this topic is still very pertinent, since the last boxes that have been added are getting a lot of ‘dislike’ (Look Teacher and Chaos). And the reasons are obvious …

Just my 2 cents. :slight_smile:

There can quite easily be an opportunity for the platform maintainers to introduce a tagging aspect to box creation. Is this a ‘real world’ scenario or is it a CTF fantasy?

People use the platform for differing reasons. Some want to create boxes that are either fun or educational and the same goes for those wanting to solve them.

Some people are looking for interesting puzzles and others for an education.

That should be considered.

If boxes are tagged by creators and then checked by moderators it should be entirely possible for users to filter on what best suits them.

Personally I am here to learn and I too find it frustrating when I am having to deal with wildly unrealistic web apps. Don’t just leave bullshit in source on the page and try and pass that off as a lesson in reading source code.

We fucking get it.

If you’re going to do that, do something cool like in Waldo where there is code to read and enumerate. Not some ■■■■ image that has a steg message in it. What real world scenario has that?

I like the idea of separating between “real-world” and “CTF” boxes. Anyway one thing no one really mentioned here is the fact, that every box went through the validation process of HTB. So creator and the testing team of HTB shoud maybe think about before they approve/submit a box.

I can see where you’re coming from but I like boxes that need a bit extra enum and I enjoy the puzzles, unless it’s steg… I fkn hate steg.

But real world is not puzzles. It’s bad code, misconfiguration, old/unpatched software. Leveraging phishing, SQLi, RCE like that on Waldo.

Not some esoteric puzzle.

There needs to be a separation of states

@FlameOfIgnis said:

@PT3 said:
It’s been quality CTF. I mean when I have to search though multiple “image” files to find a text file with a PW to login. Or extracting a “hash” from somewhere and spending time to crack it, only to find out the “hash” is in fact a password for the account elsewhere. Thats awesome CTF because it just DOESN’T happen in the REAL world. HTB get its time to REAL.

Full on agreed about the first point, but to be honest, if i understand the box you are talking about correctly(lw?), you should have guessed there wouldnt be a hashed password in the login request

There would be in this kind of login request. It’s a clear text protocol and thats how it works. The pw in not passed in clear text. But then again I always use the hash of my pw as a pw somewhere else cause it’s just cool and so easy to remember.

I too believe boxes should focus more on pen testing rather than CTF…
Anyone who wants a CTF can go to HTB Challenges…

Just keep boxes for pen testing skills…

YES! Finally !

I’ve been wanting to say this for a long time. Especially after I saw Frolic

I really like the idea of separating CTF like boxes with real world scenario boxes. I think this will let those who want to play games play and those who want to learn learn.

I just don’t want HTB to end up like Vulnhub eventually