On the quality of recent boxes...

@3mrgnc3 said:
Hey peeps,

Just my 2 cents worth also.

If I make a box my intentions are typically these.

  1. Try to include useful learning points that replicate a realistic exploit process.
  2. Create something custom that I’ve never done before (so you and I can both learn from it).
  3. Try to build it around a narrative that has a flow.
  4. Include mundane chaff on the box (because real-world stuff has that)
  5. If people try to speed hack and treat it as a ctf I will troll you on that. (so if you think my box is ctf-like, that is why. )

Nothing on my boxes is designed to be “guessed”. If you feel you are doing that, I suggest you have some gaps in your knowledge or skills, and need to learn how to enumerate the application/system you are dealing with.

I write a comprehensive walkthrough detailing the logic of every step for the HTB team to review when I submit a box. I write it as a imaginary attacker using logic to go from one step to another. If I find a step that has a leap or gap, I modify the box to include a necessary clue so the attacker won’t need to guess anything if they have completed their enum process fully.

I like the idea of a category matrix that will allow everyone to indicate and adjust how the community would categorize a box.

Something like this maybe?

Box rating matrix

This way we can see honest feedback and can improve the quality of boxes over time.

As a box maker, personally I can take the haters of any box I make for free.
I’ve been around the block enough to know that no matter how good your intentions or sentiments are, haters gonna hate on you on the interwebs.
Frankly, I always expect some people to dislike the boxes I make.
That is fine. You are entitled to your opinion. I still respect you.

I still love you all. Really, I do.
Yes. I like to troll, trash talk and shitpost from time to time. But I’m no hypocrite and can take it back too.

My advise to other makers is

“Don’t get buthurt when people say your baby is ugly!”

I’ve released some poorly conceived offspring in the past (my 1st Vulnhub box was pretty poor looking back now :lol: )

:kissing_wink:

THIS.

Perfect.

Please continue to make boxes. :slight_smile:

@3mrgnc3 said:

My advise to other makers is

“Don’t get buthurt when people say your baby is ugly!”

I’ve released some poorly conceived offspring in the past (my 1st Vulnhub box was pretty poor looking back now :lol: )

:kissing_wink:

Agreed. Some people aren’t going to appreciate the work you put into it, but that’s life. I know people didn’t like my submission, but it is what it is.
With that being said, if you don’t like something, come up with something to make it better.

@snowman418 said:
100% agree with all of this. I don’t think anyone wants replicas of OSCP machines but honestly there are so many 0days out there and new software and techniques to explore. It’s okay if your box isn’t “super-ninja-elite-CTF-shitfest” (looking at you BigHead).

Just curious,
How can you have an opinion of a box you haven’t done yet?

Thunking

FYI BigHead if not designed to be a CTF style box. I just troll those who treat is as one…

:heart: :kissing_wink:

@decart said:

@evandrix said:
yeah boxes like reel don’t come by often anymore … we get ■■■■ like bighead or now, chaos booo

■■■■ like Bighead? IMO Bighead is one of the best boxes both quality and difficulty wise…

Thank you,
You are most welcome :wink:
:heart:

@chivato said:
Stego is very outdated, and no one really uses it

Tell that to the Aussies and their anti-encryption bill.

@3mrgnc3 said:
Hey peeps,

Just my 2 cents worth also.

If I make a box my intentions are typically these.

  1. Try to include useful learning points that replicate a realistic exploit process.
  2. Create something custom that I’ve never done before (so you and I can both learn from it).
  3. Try to build it around a narrative that has a flow.
  4. Include mundane chaff on the box (because real-world stuff has that)
  5. If people try to speed hack and treat it as a ctf I will troll you on that. (so if you think my box is ctf-like, that is why. )

Nothing on my boxes is designed to be “guessed”. If you feel you are doing that, I suggest you have some gaps in your knowledge or skills, and need to learn how to enumerate the application/system you are dealing with.

I write a comprehensive walkthrough detailing the logic of every step for the HTB team to review when I submit a box. I write it as an imaginary attacker using logic to go from one step to another. If I find a step that has a leap or gap, I modify the box to include a necessary clue so the attacker won’t need to guess anything if they have completed their enum process fully.

I like the idea of a category matrix that will allow everyone to indicate and adjust how the community would categorize a box.

Something like this maybe?

Box rating matrix

This way we can see honest feedback and can improve the quality of boxes over time.

As a box maker, personally I can take the haters of any box I make for free.
I’ve been around the block enough to know that no matter how good your intentions or sentiments are, haters gonna hate on you on the interwebs.
Frankly, I always expect some people to dislike the boxes I make.
That is fine. You are entitled to your opinion. I still respect you.

I still love you all. Really, I do.
Yes. I like to troll, trash talk and shitpost from time to time. But I’m no hypocrite and can take it back too.

My advise to other makers is

“Don’t get buthurt when people say your baby is ugly!”

I’ve released some poorly conceived offspring in the past (my 1st Vulnhub box was pretty poor looking back now :lol: )

:kissing_wink:

As much as I hate sorting through a bunch of files to find what I need, I do realize that that’s actually more realistic. Not trying to call anyone in particular out, but for example, on Teacher, there’s two points where you have to sort through a ton of seemingly innocuous files to find what you need. Like you said, real machines have clutter. My personal machine has all sorts of nonsense on it that I forget to delete. I think maybe we get a little spoiled and expect to find that the priv esc vector is the only thing in the home folder of a machine.

People want to keep knocking “CTF” style machines and then complain about clutter because they don’t have a lot of free time? You know what CTF’s have? Clear objectives. There is no sorting through clutter, they tell you what you need to do, give you a hint, and you go do the thing. I personally like that aspect of CTF challenges. I think they can be useful learning tools, but I agree that I would prefer more realistic boxes, so if that means having to sort through the clutter then so be it.

Also, I would like to point out that Fortress: Jet is awesome imo, even if it is a little CTF-like. It’s a large, complex machine with multiple vulnerabilities, but it has a relatively clear path, part of which is probably due to the flag names. These flag names serve as hints for the next objective, similar to how challenges here have hints. I know the machine name is supposed to be a subtle hint about exploitation or something, but perhaps we should add a small hint to each machine’s description? It would likely cut down on people asking the same questions over and over again in the forums and PMs. Thoughts?

Also, for what it’s worth, I really like that box rating matrix. That’s an awesome feature that should definitely be implemented. Is there a poll feature on this site?

Hello everyone. First of all, thank you for opening this thread.
Here in HackTheBox we appreciate people’s comments and feedback, and we hear everyone.
As I’m the Moderator who is responsible for making sure a machine is released every week, I thought it was fair for everyone of you to say a few words from my side too.
I understand that sometimes the weekly release does not meet everyone’s expectations. HackTheBox is a platform designed to people who want to learn and improve their skills, but most important, for people who want to have fun.
We receive a lot (really, a lot) of machines from people who spend time researching and learning in order to make something where the whole community could benefit. At the same time, in order to meet the expectations of most of the users, some of the machines are sent back to the machine makers in order to be fixed, and sometimes redesigned. Rarely happens that I decide to reject a machine, unless it’s something that is going to create grief among users.
Personally, along with the other moderators, I try to release machines which are aiming to be realistic, but sometimes I see things in machines which I think could teach something new, from newbies to pros.
Most of you know how much effort we put in in order to release a machine which could please everyone, but sometimes it’s difficult to do so. Some want a realistic machine, some want a proper CTF. We try to make everyone happy, as HackTheBox is a community formed by fantastic people, the same people who put effort into creating machines. These people are mainly you guys, so personally I think that saying that a machine is “not good enough” is a slap in the face for the machines maker first, for the other users who actually like the machine and, finally, for the moderators.
As I mentioned at the beginning of this message, we welcome any feedback. We hear you. We have a section for feedback, please feel free to use it.
Apart from some unpleasant comments, I saw a lot of good ideas in this thread. Your enjoyment of weekly challenges is what we aim for, hence all the weekly releases.
I take the opportunity to thank you all for the feedback and the ideas. Feel free to leave feedback or contact any of us, we will answer straight away.

mrh4sh

Thanks for taking the time to address this for us!

Thanks for the response @mrh4sh. Nobody (including myself) is intentionally trying to disrespect the work that goes into this platform. I’m sure we’re all very appreciative that it exists in the first place. I certainly am. Having said that, though…

@mrh4sh said:
These people are mainly you guys, so personally I think that saying that a machine is “not good enough” is a slap in the face for the machines maker first, for the other users who actually like the machine and, finally, for the moderators

How is it a slap in the face for the community to critique the content that’s being created for the community? If we’re unhappy with it, why should we just shut up and deal with it? Why don’t you just remove our ability to thumbs down boxes while you’re at it, so nobody gets their feelings hurt?

@opt1kz said:
Thanks for the response @mrh4sh. Nobody (including myself) is intentionally trying to disrespect the work that goes into this platform. I’m sure we’re all very appreciative that it exists in the first place. I certainly am. Having said that, though…

@mrh4sh said:
These people are mainly you guys, so personally I think that saying that a machine is “not good enough” is a slap in the face for the machines maker first, for the other users who actually like the machine and, finally, for the moderators

How is it a slap in the face for the community to critique the content that’s being created for the community? If we’re unhappy with it, why should we just shut up and deal with it? Why don’t you just remove our ability to thumbs down boxes while you’re at it, so nobody gets their feelings hurt?

As i read it, i believe @mrh4sh was saying that “not good enough” as the only feedback without constructive details as to why you think that, is a slap in the face.

Dear @opt1kz,
If you read my comment one more time you’ll see that I’m talking about being sensible, not about being quiet.
Everyone’s opinion is subjective, so we can’t really take down a machine only because people disliked it. It is still an opportunity to other people who haven’t given it a go yet to learn something new.
With this said, I still invite you to share with us your feedback, and a solution if you have any idea: it would make our job easier.

With this said, I would invite you to make a machine and submit it, we would be very happy to test it.

Thanks,
mrh4sh

@mrh4sh said:
Dear @opt1kz,
If you read my comment one more time you’ll see that I’m talking about being sensible, not about being quiet.
Everyone’s opinion is subjective, so we can’t really take down a machine only because people disliked it. It is still an opportunity to other people who haven’t given it a go yet to learn something new.
With this said, I still invite you to share with us your feedback, and a solution if you have any idea: it would make our job easier.

With this said, I would invite you to make a machine and submit it, we would be very happy to test it.

Thanks,
mrh4sh

I haven’t seen anyone suggest that any machines be taken down, so that’s a moot point.

This entire thread is feedback. Many people are sick of the CTF elements, the guessing games and the lack of realism. I provided an example in my initial post of the kind of box that I consider phenomenal: Reel. Other people have provided similar examples.

While I have personally been trying to avoid “naming names”, other people in this thread have also provided examples of boxes they’ve disliked in this regard, and I’ve generally agreed with them. It’s difficult to be specific in a public like thread like this, because so many specifics could be considered spoilers for their associated machines.

Some less-than-specific examples:

  • Steganography, Alternate Data Streams, etc being (ab)used solely to make things more difficult, not because they’d ever actually be used in that manner.

  • Environments that are so locked down and restrictive that not even their proposed, authorized users could ever get any work done in them; the environment is locked down to that degree solely to funnel us into the authors’ intended exploitation path.

  • Intentionally vulnerable, modified CTF server binaries that are present in the environment only to serve as an entrypoint and for no other reason. You’d never see them in the wild. Granted, there’s plenty of technical merit and teaching value here, so take this one with a grain of salt. It just rubs me the wrong way, personally.

  • Critical files/data hidden in nonsensical l33t speak directories that you would never see in the wild, or just “hanging out” on the web server as other filetypes that make no sense.

My solution for all this is: Read this thread and see what people in your community are saying, then adapt accordingly. I started this thread, but I’m not anyone’s spokesperson.

And as I said elsewhere in the thread, I fully intend on making my own machine, so, again, moot point. “Put up or shut up” isn’t going to dissuade me from criticizing other machines.

@mrh4sh said:
Dear @opt1kz,
If you read my comment one more time you’ll see that I’m talking about being sensible, not about being quiet.
Everyone’s opinion is subjective, so we can’t really take down a machine only because people disliked it. It is still an opportunity to other people who haven’t given it a go yet to learn something new.
With this said, I still invite you to share with us your feedback, and a solution if you have any idea: it would make our job easier.

With this said, I would invite you to make a machine and submit it, we would be very happy to test it.

Thanks,
mrh4sh

Being sensible would be reading the whole thread and everyone’s feedback before offering a response like this. It’s the least you can do given the respect that people have tried to show throughout this thread.

Lots of feedback and even solutions of categorizing or tagging boxes are being offered.

I’m a little confused why you’re mentioning taking boxes down. Where did you read that in any of that feedback?

I’m grateful to people who spend the time to make these boxes. HackTheBox as the quality controllers and ultimately the ones with the final say should be supporting makers better, suggesting remediation where boxes are missing teaching opportunities by employing guesswork and other CTF style (imho lazy) exploits for access. Even a brief brute force is preferable to a bad file extension (and then to haunt the forum deleting any mention of skipfish, perish thoughts one should learn how to use a tool).

.

@3mrgnc3 said:
FYI BigHead if not designed to be a CTF style box. I just troll those who treat is as one…

You realize this entire thread is because of you and how childish you were in your bighead thread right? Your elitist attitude is old.

I have zero interest spending 20+ hours on what’s essentially a troll box that isnt remotely representative of anything in the real world.

@snowman418 said:

@3mrgnc3 said:
Just curious,
How can you have an opinion of a box you haven’t done yet?

FYI BigHead if not designed to be a CTF style box. I just troll those who treat is as one…

:heart: :kissing_wink:

You realize this entire thread is because of you and how childish you were in your bighead thread right? Your elitist attitude is old.

I have zero interest spending 20+ hours on what’s essentially a troll box that isnt remotely representative of anything in the real world.

Hey @snowman418,

Please go look at me team name, I’m not elitist. I’m a n00b forever at most things in life. Again, you assume you know all about a box before you complete it.

Please try Bighead again and maybe you will see that the “broken”, “rabbit-hole” parts are actually the very info you need at the end maybe?

I eagerly look forward to doing your future boxes and giving you some polite feedback. Hopefully, lots of praise about how you taught me how it’s done.

I will gladly give you useful hints without spoilers. You are welcome to DM me for that.
Sorry you got frustrated to the point of hatred. As for the memes/trolls, It’s supposed to be funny for all of us. I don’t take myself too seriously, but I forget sometimes that others don’t feel the same way.

Peace,

:love:

@snowman418 said:

@3mrgnc3 said:
FYI BigHead if not designed to be a CTF style box. I just troll those who treat is as one…

You realize this entire thread is because of you and how childish you were in your bighead thread right?

Not really, this thread is about finding a mutual consensus for what the community wants so that machine authors can focus on providing content that they know people will enjoy instead of trying to guess.

Let’s get back on topic, and let’s also take a minute to appreciate the fact that the mods are being active and considering this feedback. They’re taking time out of their day to try to listen to our constructive criticisms and create a better, more enjoyable environment for all of us. We’re lucky to have mods who care and try to push forward great content at a pretty demanding rate.

@Skunkfoot said:

@snowman418 said:

@3mrgnc3 said:
FYI BigHead if not designed to be a CTF style box. I just troll those who treat is as one…

You realize this entire thread is because of you and how childish you were in your bighead thread right?

Not really, this thread is about finding a mutual consensus for what the community wants so that machine authors can focus on providing content that they know people will enjoy instead of trying to guess.

Let’s get back on topic, and let’s also take a minute to appreciate the fact that the mods are being active and considering this feedback. They’re taking time out of their day to try to listen to our constructive criticisms and create a better, more enjoyable environment for all of us. We’re lucky to have mods who care and try to push forward great content at a pretty demanding rate.

THIS YES :+1:

Dude your badge there literally says ‘Elite’ :lol:

@izzie said:
Dude your badge there literally says ‘Elite’ :lol:

Oh, you are right :lol:
Not my choice of title, I prefer the rank of Ch13f N00bTr077
(as in… I’m a noob and a troll)
:tongue: