Dynamic Root Flags To be Introduced?

Good morning everyone.

I was surprised to see a new development being made regarding how the ROOT flag is generated. I was informed by a user in an unofficial HTB discussion thread in the Discord that from next machine onwards each ROOT flag will be different for every user, I mean the flags are dynamic from user to user.

Well, this is a good development if you see from the point of view of HTB and its affiliates, however this will definitely make their life harder for the one who just buy flags from different sources just for the sake of the “HTB RANK”.

As a blogger this will as well make my life harder because I cannot publish my write-ups protected with the root flag.

I as well see this new change will let flag sellers make more money by changing their business by becoming a “Write-ups” seller.

Thoughts?

NS.

I think this is already in place. Recently, I revisited one active box and was surprised to find a different root flag.

Type your comment> @limbernie said:

I think this is already in place. Recently, I revisited one active box and was surprised to find a different root flag.

Possibly yes, I was contacted by a couple of users saying they were not able to unlock my articles using their flags.

Well, if this is already in place, I don’t see an updated changelog?

NS.

Hi!

I agree with you that “selling root flags” won’t really be stopped by this approach, since people could start selling write-ups instead. But then there would at least be some little skill involved to get everything to work.

I think this measure would be a bit like locks for bicycles. It doesn’t really stop anyone who really wants to steal/cheat, but it might at least stop “casual cheaters” that “stumble over” the root flag when researching the box or might just copy it from somewhere out of frustration.

About your blogger kind of view: It’s a bit of a bummer that interested readers can’t read your write-up after rooting the machine themselves. But you’re not really loosing any real traffic etc., since you can’t make it public anyway, I presume?
Still, I understand that it’s nice and handy to publish the write-up like you’re doing.

why dont you publish your writeups after retirement ?

I find this very disappointing , as others have commented reading the write ups is one of the first things I like to do when I have rooted a box :unamused: it is a great learning tool. Waiting months to do this… having to go back when things are fresh… is definitely sub optimal :disappointed:

@sparkla said:

These writeups are great if you just walked through a box and want to look up what you did wrong or managed to do something without understanding why it worked at all.

This ^^^^.

Most boxes have several paths to a solution and there is a massive learning value to seeing how other people do it. Yes, you can wait until it retires but there comes a point at which that largely kills the learning value from HTB.

I absolutely LOVE @nav1n’s walkthroughs. On almost every occasion I’ve found a better/faster/more consistent way to complete a step compared to how I had done it originally. Even recently, with traceback, after I eventually got root, thanks to flag protected walkthroughs, I was able to read a write-up and find out something I’d given up on would have worked if I’d learned how to work it.

For me, this is not an improvement.

If you are going to buy a flag, you can buy a walkthrough. This won’t prevent the underlying problem and, at the end of the day, it is a game. If people are spending money to get HTB rank… wtaf? But are they worse than people who ask for hints on every single step?

if the flags are different for every user, maybe there’s no more reason to password protect writeups? :naughty:
I mean, lazy lamers still have to walk through the box because the flag is different. Maybe it’s a chance they learn something for real by reading the writeup instead just copypaste flags lol

@sparkla said:

Like I said in another thread, these badges do have an actuall value. In the careers section of HTB jobs do require a certain rank, albeit that rank is usually “Noob” or “Hacker” for all I’ve seen.

Totally agree they have value, but I think that’s wrong - they shouldn’t have. I am omniscient and if you hired me as a pentester you’d be an idiot :smile: I cant imagine any company giving someone a job simply because they have a certain rank on HTB. It might open a job advert but that’s just recruiters playing games.

The problem with people buying flags to level up is largely self-induced. And now the solution to the self-induced problem makes the platform less fun and a tiny bit less learning for people.

Look at places like TryHackMe.com - you can root a machine by yourself or you can read the walkthrough, some of which give you the flag to paste in yourself. Levels still exist and there is a leaderboard for gamification but it takes itself a bit less seriously over this.

BTW - I am not disagreeing with you here, I am more ranting at the cosmos.

But are they worse than people who ask for hints on every single step?
Yeah. One is 100% cheating. The other is not knowing or being a lazy a**, broke mf. :smiley:

Again, the ethical judgement exists but once the flags are got and the rank is achieved, you can’t tell.

If the rank “matters” then all of them are equally bad ways to get there. You cant tell if someone got to “hacker” by skill, clever reading of the forums, asking millions of questions until they get effectively a walkthrough, or buying the flags. If you are hiring, you only want the first one (possibly the second for an OSINT role :smile:).

Personally, I’d rather more effort was put into keeping boxes stable and stopping people deleting crucial files than stopping people buying flags and reading walkthroughs.

Hack The Box just released some info about these changes: HTB News | Integrity of Hack The Box

They also have some good suggestions for your problems on there!

@sparkla said:

@TazWake I guess we agree on most parts although we’re largely going off-topic here.

Yeah and I am sorry to everyone for taking this off on a tangent.

OT START:
As food for thought: You should not undermine your own value, that does also undermine other people’s value.

Very good point. It certainly wasn’t my intent so I will rethink how I express myself.

I really don’t like people that are like “Hey I’m not a programmer, but… I’ve thrown this script / website / younameit together and it’s working better than that stuff of you so-called programmers” -

For me this is certainly not the case. I very, very rarely have a good solution to boxes and it is nearly always monstrous amounts of error - thats why walkthroughs are essential for me. Completing a box is a single step on the journey for my learning. Yes I can wait until the box retires but by that point my own mistakes & thinking is a distant memory.

One should not undermine the value of the other and both should not be compared.

Totally agree - in my case it is the value of others which gives me any hope :smile:

You may not be a fit for a pen-tester at this point, but I doubt that after 2 weeks of working as pen-tester you’d still have a huge amount of issues and were completely non-fitting for the job.

So dont get me wrong. If you hired me as a junior pentester I would grow into the role, but then most people could. I’ve done lots of “pentester” courses and I know the principles but there is significantly more to that - including an exploratory mindset.

My point is not that I could never be a pentester - it is probably more that I know dozens of superb pentesters who are ranked Hacker at best here, my HTB rank doesn’t reflect anything in the real world.

I’d be interested, after you said that couple of times, why you think that? What basic or advanced skill do you lack?

Well, I suck at AD exploitation and binary reversing :smile: but I am not sure that is the point. There is an element in that I am ok at reusing other people’s exploitation techniques but struggle a bit to create original exploitation.

I agree that the badge alone won’t land you a job, but it might land you an interview. Yet having that badge in your portfolio along with the rest: demo work, recommendations of previous employes, certifications, diploma, … and just some regular good old writing, accounting and math skills, like you said before, it makes a difference, it shows some hands-on experience on the matter security.

This is 100% something I agree with. But thats also why I think the badge is effectively meaningless. If hiring managers are using that as the only entry point, then yeah, turning this into OSCP type badge makes sense. In reality its one thing in a big package. If the person has all those other things then I wouldnt care if they bought the rank or not.

OT END:

Yeah - again, sorry for going on tangents but it does interest me!

i think this is the best method trace users


Lab Activity

We will be utilizing network information collected from the Labs and activity pertaining to Challenges, specifically whether or not a Challenge has ever been started or downloaded to verify legitimacy of each own. The information we collect is basic (source user ID, target machine/challenge ID and timestamps of observed interactions), but can give us a good understanding of how users interact with Machines and Challenges. While we will not be preventing users from owning Machines without any interaction, this is something we will be keeping a very close eye on, and will potentially implement further mitigations to prevent this kind of behaviour in the future.
******> @nyckelharpa said:

Hack The Box just released some info about these changes: HTB News | Integrity of Hack The Box

They also have some good suggestions for your problems on there!