On the quality of recent boxes...

I too believe boxes should focus more on pen testing rather than CTF…
Anyone who wants a CTF can go to HTB Challenges…

Just keep boxes for pen testing skills…

YES! Finally !

I’ve been wanting to say this for a long time. Especially after I saw Frolic

I really like the idea of separating CTF like boxes with real world scenario boxes. I think this will let those who want to play games play and those who want to learn learn.

I just don’t want HTB to end up like Vulnhub eventually

So here’s the solution:

Categorize a box by either “real-world simulation” or “CTF.” I don’t think we need to have separate scoreboards unless someone really wants their ego rubbed (and in that case take a flight over to Amsterdam).

EZPZ.

I like the idea of separating the categories in some way, but I also think they should be scored differently, or not at all.

@r3no said:
I just don’t want HTB to end up like Vulnhub eventually

There’s nothing wrong with Vulnhub and the format of the machines posted there. Most of them are really good fun despite all of the CTF oriented boxes. But I agree that HackTheBox should be careful not to re-invent VulnHub with a scoreboard.

I don’t want to deter potential machine makers from being creative and posting their machines, but HackTheBox may not be the appropriate platform for some of these boxes.
Machine makers should take that consideration seriously as should moderators during the eval process.

@rotarydrone said:
I like the idea of separating the categories in some way, but I also think they should be scored differently, or not at all.

@r3no said:
I just don’t want HTB to end up like Vulnhub eventually

There’s nothing wrong with Vulnhub and the format of the machines posted there. Most of them are really good fun despite all of the CTF oriented boxes. But I agree that HackTheBox should be careful not to re-invent VulnHub with a scoreboard.

I don’t want to deter potential machine makers from being creative and posting their machines, but HackTheBox may not be the appropriate platform for some of these boxes.
Machine makers should take that consideration seriously as should moderators during the eval process.

Don’t get me wrong. I’m not saying Vulnhub is bad. I’m saying the majority of its machines are CTF based, which is why I stopped playing with it. IF HTB started to be all CTF like boxes, then it will be identical to Vulnhub except that it will be with a scoreboard. If this will be the case then I’ll probably cancel my subscription and only be here WHEN there is a good machine. I’m not saying ALL of them are bad. I’m just saying that the last couple of them were mostly imaginary scenarios unrelated to real life.

I love the discussion and I’m going to give you my 2 cents. I like and support the idea of admins creating a poll to understand what the people in this platform want to see, and maybe listen to both sides: those that are looking for realistic boxes to practice pentesting per se (myself included) and those that want to challenge themselves with puzzles and ctf-like machines. After that, decide what road to take, either if it’s a good idea to categorize each box with CTF/Real-world or something different.

@r3no said:
YES! Finally !

I’ve been wanting to say this for a long time. Especially after I saw Frolic

I really like the idea of separating CTF like boxes with real world scenario boxes. I think this will let those who want to play games play and those who want to learn learn.

I just don’t want HTB to end up like Vulnhub eventually

I agree but htb is always like this: some time we have more ctf boxes and sometimes more realistic ones. It’s a lot of work to design a good box and find a balance, dont forget that htb is free. But yeah sometimes we have boring boxes in row.

I like the idea of having separate ‘real-world’ and ‘ctf’ style machines. It will allow me to focus on the areas that I care about, just like with the specific challenge sections.

As far as implementation, maybe a set of ‘guidelines’ can be created by HTB maintainers/VIPs to help HTB maintainers have a community threshold of what classifies a box one way or the other. (ie stego? automatic ctf. AD? most likely real-world.)

It would take a while to establish a baseline if the HTB team only took feedback from like/dislike rankings. It would probably be messy if they added a “ctf/not-ctf” ranking (especially because people would still have to solve before they could rank).

That being said, I’m not a Guru or Omniscient, so I (fortunately/unfortunately) am still learning things like ‘constantly check magic bytes’ and some of the ctf boxes still give me ‘lessons learned’. On the other hand, I still absolutely hated Teacher’s initial login…

I agree with most of the comments here…my suggestion would be to classify boxes on a spectrum, with one end being Full-CTF and the other end Ultra-Realistic or something like that. The reasoning behind a spectrum would be so that users can vote on it and also because certain boxes aren’t clear-cut, e.g. the user part may be pure CTF but the root part may be realistic. It would work kind of like the difficulty graph, with user votes giving a realistic depiction.

It would have nothing to do with difficulty or points, it would just be an extra metric to give people an idea if they should waste 2 days on a box or not. CTF boxes may be fun, but they’re a frustrating waste of time for people who need to learn real-life skills or prepare for certifications like OCSP.

@Skunkfoot said:
@opt1kz I like that you’re trying to start this discussion. The point isn’t to complain or bash anyone or their creations, it’s to highlight the issue and (hopefully) come up with a solution, and I think this thread, if used properly, could help us brainstorm as a community.

Thanks for the response. And yes, exactly.

@Skunkfoot said:
A little Devil’s advocate here, for the sake of progressing this topic to a point where we can agree on a solution:

A large part of the problem is that we haven’t really had that before. People want to create machines because it’s a learning experience for them and they think it will be fun, or because they think they have interesting and unique ideas, etc. Unfortunately, we’ve never had an HTB poll about what we would actually want to see in a box.

Yeah, and we certainly don’t want to discourage those people. They shouldn’t have to worry about being yelled at by the community and be afraid of sharing their creations. My initial post might’ve been a little harsh in that regard, perhaps. I don’t know. That’s why I didn’t name specific authors/machines, though. We need to have a discussion, not a flame war.

@Skunkfoot said:
Since creators are basically guessing at what people want, or aren’t even thinking about what other people want simply because the thought never really crossed their minds, some people are bound to be disappointed in some of the products they create. Yes, we’re here learning for free, but these people are also creating our learning materials for free. The people who take time out of their day to learn and create these machines for us aren’t perfect, so naturally, sometimes they’re just going to miss the mark, and I think that’s okay.

No argument from me on that point.

@Skunkfoot said:
I think a large part of this too is that a lot of creators are perhaps on the less-experienced side. There’s nothing wrong with this, I think creating a machine is probably a really useful learning experience. Unfortunately, the end result might not be as well-refined as some might like.

Indeed, which brings me back to the point of not wanting to discourage people. Especially if they’re newer and just trying to learn and get involved in the community.

I honestly hope that that doesn’t end up becoming a side effect of this thread.

@Skunkfoot said:
But I digress. What it really comes down to is this: If we’re not offering up a solution, then we’re just complaining.

Well, that’s the whole point of this thread; brainstorming solutions. My initial idea for a solution was to make a thread telling people to tone down the CTF stuff and get a discussion started about it, so here we are.

@Skunkfoot said:
I think if more experienced people, such as yourself, would create the machines, the overall product would be better and people would generally be happier. Also, maybe we should have a site-wide poll run by the admins. I know personally, I’d really love to see more exploit development and custom scripting stuff in machines (but maybe I’m biased because those are weaknesses of mine that I want to improve on). I think we can all agree that we generally would like to avoid click-and-run exploits, msf modules, and vulnerabilities that require me to search for some really obscure tool to be able to exploit.

On that note, after I posted this thread I immediately started brainstorming my own box. I didn’t think it’d be very fair to ■■■■■ about the state of things without trying to somehow fix it myself, as you pointed out. I can’t say that it will be ready any time soon, but it’s in the works, at least.

@Skunkfoot said:
I’d also like to say that I agree with pretty much everything you said. This isn’t meant to bash you or anyone else for their opinions, it’s meant to continue a discussion that I think is going to be incredibly valuable for our community, so I hope it doesn’t come across as too accusatory.

Nah, it didn’t come across as accusatory at all. Even if it had, that’s just part of discussing/debating topics that people are passionate about. No worries.

@peek said:

@r3no said:
YES! Finally !

I’ve been wanting to say this for a long time. Especially after I saw Frolic

I really like the idea of separating CTF like boxes with real world scenario boxes. I think this will let those who want to play games play and those who want to learn learn.

I just don’t want HTB to end up like Vulnhub eventually

I agree but htb is always like this: some time we have more ctf boxes and sometimes more realistic ones. It’s a lot of work to design a good box and find a balance, dont forget that htb is free. But yeah sometimes we have boring boxes in row.

Kudos @opt1kz; think you are being conservative actually.

We have a two week break now and I’m looking down the list of submissions and the outlook is BLEAK; i.e. either insane or trash.

Furthermore HTB is not free. Certainly not if you pay VIP and not if you do free either. You think Facebook is free? You think peoples’ time is free? Having absolutely none of that.

As for discouraging people who make CTF trollfest boxes? Totally fine with that. There are plenty of people ready and willing to make better ones if they don’t feel like ‘trying harder’.

As for sparing their feels, hmm maybe some but I then see some makers and upcoming makers quite happy to shitpost other makers machine’s scoreboards and that. So no! Suck it up princess.

As for offering solutions? How about CAN YOU NOT.

Will HTB actually do anything? No.

“HTB is not free not if you pay VIP and not if you do free either. You think Facebook is free? You think peoples’ time is free? Having absolutely none of that.” No one is forcing you to come to HTB, there are plenty of CTF platforms. if you value your time enough to use the argument “time is not free”, then go somewhere where you think you will use your time more efficiently. The base services for HTB are 100% free, and are 0% compulsory.

FYI I pay for VIP. But still think ALL USERS ARE EQUAL.

Their opinions are just as valid as VIPs getting fucked over with this CTF troll ■■■■.

Having a ‘free’ tier doesn’t absolve you of responsibility for providing the service you got people to sign up for. Once invested you can’t just say to people “oh well if you don’t like it you can ■■■■ off” Too fucking late for that mate.

There are plenty of CTF platforms. Way to go missing the whole point.

I never said anything to clash with this statement “FYI I pay for VIP. But still think ALL USERS ARE EQUAL.”, I am saying, you can come, or not, you can pay, or not, no one is forcing you to come, if you enjoy some ctf’s more than others, then that is expected, same as other people will enjoy certain boxes that you wont. It is based on personal preference, and the idea that the platform is free, just reinforces the fact that this whole debate is a bit “spoilt” to say the least. Would you rather there was no HTB at all? Exactly, so enjoy what you have, or go to another platform.

No you did. You totally are implying that because it’s ‘free’ that you don’t have the right to complain about the mediocre boxes. Sorry WE DO. And no we don’t have to either ■■■■ off or just put up with whatever you swill out. What sort of attitude is that?

Why don’t you go to another platform? If you like CTFs so much I hear Vulnhub is great!

Ultimately HTB can do nothing and also true people can just leave and let HTB be Vulnhub with a scoreboard. (on point awesome that comment)

People have already invested time and money and recently there have been a raft of trollshit boxen. Complaints are valid and have merit.

I hope people including HTB officials would see HTB as more than ‘Yet another CTF platform…’ but I guess ‘too hard’.

Guys, if you want to have a personal argument, please do so in a PM so as not to derail this potentially valuable forum thread. :slight_smile:

This thread was long overdue.

This is exactly what has been going in my mind lately and since @opt1kz actually made it happen i though i should put my 2 cents in it.

We are not trying to disrespect anyone here, we’re just a couple of folks having passion and love to what we do, we are all in this together, helping each other out and most of us do this in our free time or when we have time. But we would rather see spending our free time here with something that has meaning, something that actually help us advance in this vast field, i mean challenges are ok but at least creating boxes to represent what we could face out there and i get that all “difficult to create that” but i would certainly take quality over quantity.

I though we were supposed to be a step further from “Vulnhub” (good place, i started from there).
I feel like is getting exactly as @rotarydrone drone put:

HTB is vulnhub with a scoreboard.

But come on, is this what we want?

My suggestion to the creators or future creators is this, create boxes that you would rather help you in your work, or had an experience as a pentester, something that actually attract others to put some thought in it.
All i see in the forums and PMs is asking help and hints regarding about puzzle solving problems which made me think, it seems that nobody here wants to invest time to something that is useless as a knowledge to acquire and even if we do acquire the ability to stego the ■■■■ out of an image i don’t believe is anywhere helpful neither useful to develop “out of the box” type of thinking.

My point is, you may like a box less, and someone else might enjoy it more, you are forgetting that HTB has a large variety of skill levels, and I did not say that becaus eyou aren’t paying you can’t have an opinion, I am saying, personally, if I was getting a free service, the last thing I would do would be complain about how “■■■■” it is. Not everyone is a Guru like you, and maybe they need boxes based more around dumb ■■■■ like guesswork to get them started. I haven’t enjoyed the newest boxes, yet here I am. Would I like more real world boxes? Yes. Do I think I have the right to demand them? No. The boxes are submitted by users, if you look in submissions, you can see that, if you expect mods/admins to go through all the boxes looking for one that meets your requirements, don’t count on weekly releases.

@avetamine said:
This thread was long overdue.

This is exactly what has been going in my mind lately and since @opt1kz actually made it happen i though i should put my 2 cents in it.

We are not trying to disrespect anyone here, we’re just a couple of folks having passion and love to what we do, we are all in this together, helping each other out and most of us do this in our free time or when we have time. But we would rather see spending our free time here with something that has meaning, something that actually help us advance in this vast field, i mean challenges are ok but at least creating boxes to represent what we could face out there and i get that all “difficult to create that” but i would certainly take quality over quantity.

I though we were supposed to be a step further from “Vulnhub” (good place, i started from there).
I feel like is getting exactly as @rotarydrone drone put:

HTB is vulnhub with a scoreboard.

But come on, is this what we want?

My suggestion to the creators or future creators is this, create boxes that you would rather help you in your work, or had an experience as a pentester, something that actually attract others to put some thought in it.
All i see in the forums and PMs is asking help and hints regarding about puzzle solving problems which made me think, it seems that nobody here wants to invest time to something that is useless as a knowledge to acquire and even if we do acquire the ability to stego the ■■■■ out of an image i don’t believe is anywhere helpful neither useful to develop “out of the box” type of thinking.

100% agree, I prefer quality over quantity, but people do demand weekly boxes, and they would be VERY disappointed if that didn’t happen.
Stego is very outdated, and no one really uses it, but people still have interest for it. It may not be useful, but the fans love it.
I am NOT saying that I disagree with the fact that the boxes lately have been lacking. I am saying that it is one or the other. Good boxes, or weekly boxes. You cannot have both.

I agree with the OP 100%. As a relative newcomer to all this I am looking to improve my real world applicable skills and whilst I like solving puzzles its not the main aim of being on this site. I also like the idea of a flag indicating the CTFness of a box. Also, if I may be so bold is there a list of more realistic boxes that has been posted whether retired or not? In short, what are the realistic boxes to practice on?