How "real world" are CTF models like HTB?

I am wondering how “real world” is HTB?

Let’s say we have three typologies of “hacking.”

The first is CTF scenarios like HTB. The second is the activities performed by professional pentesters. The third are the actions of criminal hackers (or “crackers” if you prefer).

How do CTF-type challenges like HTB differ from the type of tasks engaged in by pentesters?

I don’t know how many active pentesters might read this so I certainly don’t mind speculation from those who are not (yet) pentesters.

@matthewhtbnow said:

How do CTF-type challenges like HTB differ from the type of tasks engaged in by pentesters?

Caveat - I am not a pentester, but I see their work on a regular basis.

The simple answer is “quite a bit”, but that is an oversimplification.

Possibly the most important thing from a pentest/pentester is the report. You dont need to do this on HTB. This is partially met by the walkthroughs people create but a good pentest report needs to be much, much more. A pentester who just pops domain admin and walks away is not a good pentester. The only value they add is the way they explain what happened and, crucially, how to prevent it in the future.

That aside, HTB is an awesome platform delivering fun challenges to people. This means it is rare for any two boxes to have the same initial foothold or escalation paths. In turn, this means box creators have to be inventive. When you pentest an organisation this is not the case. 75% of the tests will be an “assumed compromise” where the pentester has a device on the network and needs to move laterally to DA. The rest will be “outside-in” where they have to find a way in first (and will generally just phish someone rather than an esoteric compromise).

It is super rare for an HTB box to reflect a real network, normally its a “simple” get a shell, privesc, done. On a pentest, this is rarely the scope. More often a pentester will need to understand how to move from device to device (pivoting), how to maintain persistence (because devices will reboot rather than be reset), how to issue commands over the C2 channels, how to avoid security tooling etc. Reddish came close to this.

When it comes to HTB you can do things you would never dream of in a pentest. You can brute force access with super noisy attacks, you can bounce running services, you can break the box to the point it needs to be reset. It is rare for this to be acceptable on a pentest.

You can do really well on CTFs and suck as a pentester. You can be a super awesome pentester and suck at CTFs.

The tl;dr is that they are different. CTFs provide an awesome way to practice a particular skill, keep your general knowledge in, test yourself etc. But it isn't a "pentest" and it isn't a replacement for hands-on experience as a pentester.

I have seen multiple HTB scenarios in the “real world”. I am not a penster, but I have to look at multiple aspects of cyber security in my projects and occaisionally “prove a point” using offensive techniques. In fact, I just did my ISC2 professional survey today and listed HTB as an important training method! I totally agree with everything @TazWake said, however in my own state of perpetual delusion and “coping mechanism” I have stopped trying to differentiate between “CTF” and “Work”. They are both my problems, and both real to me.