@3mrgnc3 said:
FYI BigHead if not designed to be a CTF style box. I just troll those who treat is as one…
You realize this entire thread is because of you and how childish you were in your bighead thread right?
Not really, this thread is about finding a mutual consensus for what the community wants so that machine authors can focus on providing content that they know people will enjoy instead of trying to guess.
Let’s get back on topic, and let’s also take a minute to appreciate the fact that the mods are being active and considering this feedback. They’re taking time out of their day to try to listen to our constructive criticisms and create a better, more enjoyable environment for all of us. We’re lucky to have mods who care and try to push forward great content at a pretty demanding rate.
@3mrgnc3 said:
FYI BigHead if not designed to be a CTF style box. I just troll those who treat is as one…
You realize this entire thread is because of you and how childish you were in your bighead thread right?
Not really, this thread is about finding a mutual consensus for what the community wants so that machine authors can focus on providing content that they know people will enjoy instead of trying to guess.
Let’s get back on topic, and let’s also take a minute to appreciate the fact that the mods are being active and considering this feedback. They’re taking time out of their day to try to listen to our constructive criticisms and create a better, more enjoyable environment for all of us. We’re lucky to have mods who care and try to push forward great content at a pretty demanding rate.
Well they need to reconsider and that’s the whole point of this thread, i would prefer spend time (as much as it has to) to a box that actually requires to approach it realistic-ally rather than wasting my time trying guessing crazy things made out of the creator’s mind
Yes, please separate CTF from “Real word” boxes. That would be awesome as I “hate” spending time on a box just to realize it’s initial foothold is via credentials stored in image by using stegenography etc. I’m sure there are people who enjoy solving puzzles and they would probably think the same for “real world” boxes.
That being said, I really enjoyed and learn a lot from Vault, Dub, Active, Reel, RedCross and few other currently active or recently retired boxes. These boxes were great for me as I’m probably not that experienced as author of this thread.
Well they need to reconsider and that’s the whole point of this thread, i would prefer spend time (as much as it has to) to a box that actually requires to approach it realistic-ally rather than wasting my time trying guessing crazy things made out of the creator’s mind
I believe no one here would disagree about that.
Oh no I completely agree, justa couple of the posts on here have been plain complaints, which nor accomplish anything, and really do not help the community at all, so what I am saying is don’t complain and attack the people at HTB for not making a certain kind of box, when the service is free, and no one is forcing anyone at HTB to do what they do.
Like I said earlier, I love real world boxes, much much more than the CTF style ones.
@marino said:
Yes, please separate CTF from “Real word” boxes. That would be awesome as I “hate” spending time on a box just to realize it’s initial foothold is via credentials stored in image by using stegenography etc. I’m sure there are people who enjoy solving puzzles and they would probably think the same for “real world” boxes.
That being said, I really enjoyed and learn a lot from Vault, Dub, Active, Reel, RedCross and few other currently active or recently retired boxes. These boxes were great for me as I’m probably not that experienced as author of this thread.
All those you mention have very high approval ratings. Reel was cited by OP as an example of a hurts-so-good box.
The ones with poor double-digit ratings really stand out:
The membership are obviously loathe to mark a box down unless it is really poor, myself included. It’s a complete mischaracterization to say members are inconsiderate or spoilt, side-briefings to that effect being entirely unproductive and disingenuous.
These boxen count towards rank via completion, same as the others. Perhaps those with 1 in 4 or +25% disapproval ratings should be points withdrawn. It would have been better if these had never gotten to market in the first place. HTB should assist members (and staff) who submit low approval rated boxen.
Yes it is all well and good to consider these new rating systems but they’d have to be implemented, would drain time and resources and might devalue older boxen.
These boxen count towards rank via completion, same as the others. Perhaps those with 1 in 4 or +25% disapproval ratings should be points withdrawn. It would have been better if these had never gotten to market in the first place. HTB should assist members (and staff) who submit low approval rated boxen.
Yes it is all well and good to consider these new rating systems but they’d have to be implemented, would drain time and resources and might devalue older boxen.
I can see your logic and agree with some of it. However, I see a few issues too.
+25% of what and when? After 2 people do the box with a +1 and a -1? so it’s +50%? or 10 people at +7 and -3? Or after a ratio of 5% of all active members complete it?
Everyone has different expectations. Some interpret the thing you hate as the thing they love.
A lot of people just want the flags to get on the scoreboard, but some of us don’t really care about that because we understand it’s not completely “real” as a mark of how good you would be as a real pentester. This is causing anger and frustration in some areas of the community imho.
Some people get frustrated to the point of asking for outright spoilers and feel angry at themselves when they skip learning parts of a box because they just want to finish it. I suspect the biggest cause of this is the aging off of points so quickly. They Then perhaps, downvote the box. I saw 12 people simultaneously complete Bighead within 1 day and most of the downvotes came then.
The problem is that it’s so subjective a thing, that we will never all agree.
A nice graphical metric for people to refer to so that they know roughly what type of challenge they face would maybe be the best way to please the majority of people that currently feel disappointed imho.
Thanks for the discussion to everyone contributing to this thread btw.
Besides a mechanism of categorizing machines (which i like) it might also improve the quality (or acceptance) of machines if there was more opportunity to give detailed feedback. For example there could be a per machine discussion thread for users who already rooted a machine. In this thread one could provide more detailed and hopefully useful feedback to the creator without spoiling the fun for others.
@prokaryont said:
Besides a mechanism of categorizing machines (which i like) it might also improve the quality (or acceptance) of machines if there was more opportunity to give detailed feedback. For example there could be a per machine discussion thread for users who already rooted a machine. In this thread one could provide more detailed and hopefully useful feedback to the creator without spoiling the fun for others.
We box makers get a lot of that already in DM’s tbh.
Sorry if that was incoherent: dashing off. I meant that they do not count towards rank but you keep badges rather like retired machines, you wouldn’t want to punish people who had already done them nor people who wanted to skip them. You aren’t really going to know the rating until people actually do them. I don’t think rating them without flags would be fair. All in all though it would be far better for them not go live in the first place and not to have to make systemic changes.
Sorry edit again: 25% disapproval/approval*100. See spreadsheet. Ratio of ‘So pro’ to ‘Lame ■■■’ (or whatever it is I can’t recall). These are the scores being given by users and they are probably conservative because I know I have rated absolute shockers ‘so pro’ just because y’know bit churlish not to encourage noob builders.
If over 25% ratings of lame/pro at some point, say by the time the next box appears, then it gets mercied so nobody else has to do it. Maybe they wouldn’t have to do again it if it get resubmitted with a patch or some HTB remediation.
25 is completely arbitrary, could be 1 in 5 or even lower (bit harsh).
@chivato
Well as @opt1kz stated in his initial post all we can do as regular users IS “complain”, although i don’t see it like that, there is a difference and this is not bitching, we actually WANT to make things better and since there aren’t many great platforms out there that do what HTB does and HTB has the potential to stand out from the rest and not being a “just another CTF platform” we complain.
Our/my goal here is… well through complaints to make HTB much more than what already is.
A platform where serious research should be done reflecting/simulating real life pentesting experiences.
Maybe if some of the sponsor companies focused more on this platform like JET with this Fortress (great lab although again mixed with CTF but at least having realistic elements) i guess it could become beneficial.
Users showing their skills and proving themselves and companies looking out for any potential candidates.
@izzie said:
Sorry if that was incoherent: dashing off. I meant that they do not count towards rank but you keep badges rather like retired machines, you wouldn’t want to punish people who had already done them nor people who wanted to skip them. You aren’t really going to know the rating until people actually do them. I don’t think rating them without flags would be fair. All in all though it would be far better for them not go live in the first place and not to have to make systemic changes.
Sorry edit again: 25% disapproval/approval*100. See spreadsheet. Ratio of ‘So pro’ to ‘Lame ■■■’ (or whatever it is I can’t recall). These are the scores being given by users and they are probably conservative because I know I have rated absolute shockers ‘so pro’ just because y’know bit churlish not to encourage noob builders.
If over 25% ratings of lame/pro at some point, say by the time the next box appears, then it gets mercied so nobody else has to do it. Maybe they wouldn’t have to do again it if it get resubmitted with a patch or some HTB remediation.
25 is completely arbitrary, could be 1 in 5 or even lower (bit harsh).
I don’t think that’s how voting works.
Surely, if we are going by community consensus as the defining metric, as long as > 50% are giving a +1 its a valid box?
@avetamine said: @chivato
Well as @opt1kz stated in his initial post all we can do as regular users IS “complain”, although i don’t see it like that, there is a difference and this is not bitching, we actually WANT to make things better and since there aren’t many great platforms out there that do what HTB does and HTB has the potential to stand out from the rest and not being a “just another CTF platform” we complain.
Our/my goal here is… well through complaints to make HTB much more than what already is.
A platform where serious research should be done reflecting/simulating real life pentesting experiences.
Maybe if some of the sponsor companies focused more on this platform like JET with this Fortress (great lab although again mixed with CTF but at least having realistic elements) i guess it could become beneficial.
Users showing their skills and proving themselves and companies looking out for any potential candidates.
IDK, first of all sorry for my english, some stuff may not come out as I am thinking it so bare with me pls. I think we have many types of people using HTB such is great, but some we already work in the industry, others not, etc. I personally like the “Real world” boxes with latest vulns I have not encounter yet on my day to day job to better prepare me for them, others that are learning from 0 like CTF alike boxes, others like both, and so on… I think the middle ground solution is to have instead of one for all area, is to have diff areas with diff type of boxes aimed to people that aims to have fun learning 0 days or recent vulnerabilities and those learning BOF’s and tactics from 1+ years or simple learn stuff that will put them on the right direction for later on… etc having 2 or more diff “paths” with boxes aim to those paths, will make everyone happier… I think… maybe not… just giving my 2 cents… I personally like to practice new vulns on boxes I know I have legit use to do so, and to do it on htb makes it fun because others are doing it also and you get this sense of comradery that you won’t get trying to go to exploit-db to the latest finding and creating your own VM at home… hope we all get to a good agreement <3
@Skunkfoot said: @opt1kz I like that you’re trying to start this discussion. The point isn’t to complain or bash anyone or their creations, it’s to highlight the issue and (hopefully) come up with a solution, and I think this thread, if used properly, could help us brainstorm as a community.
A little Devil’s advocate here, for the sake of progressing this topic to a point where we can agree on a solution:
A large part of the problem is that we haven’t really had that before. People want to create machines because it’s a learning experience for them and they think it will be fun, or because they think they have interesting and unique ideas, etc. Unfortunately, we’ve never had an HTB poll about what we would actually want to see in a box.
Since creators are basically guessing at what people want, or aren’t even thinking about what other people want simply because the thought never really crossed their minds, some people are bound to be disappointed in some of the products they create. Yes, we’re here learning for free, but these people are also creating our learning materials for free. The people who take time out of their day to learn and create these machines for us aren’t perfect, so naturally, sometimes they’re just going to miss the mark, and I think that’s okay.
I think a large part of this too is that a lot of creators are perhaps on the less-experienced side. There’s nothing wrong with this, I think creating a machine is probably a really useful learning experience. Unfortunately, the end result might not be as well-refined as some might like.
But I digress. What it really comes down to is this: If we’re not offering up a solution, then we’re just complaining. I think if more experienced people, such as yourself, would create the machines, the overall product would be better and people would generally be happier. Also, maybe we should have a site-wide poll run by the admins. I know personally, I’d really love to see more exploit development and custom scripting stuff in machines (but maybe I’m biased because those are weaknesses of mine that I want to improve on). I think we can all agree that we generally would like to avoid click-and-run exploits, msf modules, and vulnerabilities that require me to search for some really obscure tool to be able to exploit.
I’d also like to say that I agree with pretty much everything you said. This isn’t meant to bash you or anyone else for their opinions, it’s meant to continue a discussion that I think is going to be incredibly valuable for our community, so I hope it doesn’t come across as too accusatory.
I absolutely agree with the majority of the points you said here, especially putting forth the mindset of “This is my problem BUT…here’s the solution”.
Coming from an absolute beginner and a very recent HTB member, I intentionally come to HTB as an escape from CTFs and use this platform as a learning tool to gain as much REAL WORLD experience as possible. I would prefer to see the new boxes added to this platform adhere to that with the hopes that creators would view this thread as something to keep in mind when crafting future challenges. I’m also all for the idea of categorizing future boxes as either “real world” or “ctf”.
Regardless, would give huge amount of creds to the authors for at least putting effort into providing challenging material for free.
@izzie said:
Sorry if that was incoherent: dashing off. I meant that they do not count towards rank but you keep badges rather like retired machines, you wouldn’t want to punish people who had already done them nor people who wanted to skip them. You aren’t really going to know the rating until people actually do them. I don’t think rating them without flags would be fair. All in all though it would be far better for them not go live in the first place and not to have to make systemic changes.
Sorry edit again: 25% disapproval/approval*100. See spreadsheet. Ratio of ‘So pro’ to ‘Lame ■■■’ (or whatever it is I can’t recall). These are the scores being given by users and they are probably conservative because I know I have rated absolute shockers ‘so pro’ just because y’know bit churlish not to encourage noob builders.
If over 25% ratings of lame/pro at some point, say by the time the next box appears, then it gets mercied so nobody else has to do it. Maybe they wouldn’t have to do again it if it get resubmitted with a patch or some HTB remediation.
25 is completely arbitrary, could be 1 in 5 or even lower (bit harsh).
Is that how voting works? a minority dislike it so the majority must bow to the few?
:lol:
Surely, if we are going by community consensus as the defining metric, as long as > 50% are giving a +1 its a valid box?
If it were actual consensus maybe but these ratings are made ONLY by those people who managed to root them and still felt strongly enough to mark them lame. Vast majority probably never even bother completing them. Look at the number of members compared to the number of people rooting boxes. I have often seen people comment ‘skip this one’. I also think most people only mark a box lame if it is really, really awful, because most people understand enough to cut another member a little slack every once in a while.
I also think number of resets should be taken into account (as ‘votes’ if you must) as I think that gives a more accurate picture of how much unnecessary suffering a particular creation is causing the community.
@izzie said:
If it were actual consensus maybe but these ratings are made ONLY by those people who managed to root them and still felt strongly enough to mark them lame. Vast majority probably never even bother completing them. Look at the number of members compared to the number of people rooting boxes. I have often seen people comment ‘skip this one’. I also think most people only mark a box lame if it is really, really awful, because most people understand enough to cut another member a little slack every once in a while.
It’s entirely subjective. If I say something is awful. Do you just accept that that’s they way you will feel about it?
I also think number of resets should be taken into account (as ‘votes’ if you must) as I think that gives a more accurate picture of how much unnecessary suffering a particular creation is causing the community.
I think you are looking at it purely from your own perspective. The number of resets a user initiates indicates that they are less experienced generally. By definition, the higher the difficulty rating is, the more people will struggle with it.
