I also need to agree with the person who started this thread.
In my opinion there really should be an indicator that tells you if the box is rather CTF-like or realistic.
If you argue about who is going to decide that, I would recommend to add the possibility that the users who owned the box already can vote about it. All in all the results would match with most of the personal opinions then, which would be a nice indicator that could help people to not waste their time if they prefer realistic boxes or vice versa.
@3mrgnc3 said:
@izzie said:
If it were actual consensus maybe but these ratings are made ONLY by those people who managed to root them and still felt strongly enough to mark them lame. Vast majority probably never even bother completing them. Look at the number of members compared to the number of people rooting boxes. I have often seen people comment ‘skip this one’. I also think most people only mark a box lame if it is really, really awful, because most people understand enough to cut another member a little slack every once in a while.It’s entirely subjective. If I say something is awful. Do you just accept that that’s they way YOU will feel about it?
I also think number of resets should be taken into account (as ‘votes’ if you must) as I think that gives a more accurate picture of how much unnecessary suffering a particular creation is causing the community.
I think you are looking at it purely from your own perspective. The number of resets a user initiates indicates that they are less experienced generally. By definition, the higher the difficulty rating is, the more people will struggle with it.
That’s a very curious perspective. If 25% people (minded to finish it) are marking it lame and it is getting reset hundreds of times then there is clearly an issue especially when all the other boxes are averaging single digits. I’d say that is a clear trend not a subjective opinion. If it did to anyone, then it would speak more to the experience of the builder than the same people who manage not to reset the other boxes hundreds of times.
Smasher was a smashing box - don’t think I had to reset it more than once but harder than most. Jerry was the easiest of easy boxes, hundreds of resets, (not by me).
Sadly, I often hear boxes being described as ‘impossible on free’. If one has to use some yardstick, ratings and resets are as good as any. I think 1 in 4 is generous but as I said: entirely arbitrary.
I shan’t comment again as I do not want to derail this discussion, just pointing at the data and offering solutions.
EDIT: mea culpa, saying the possibly already overstretched HTB tester should do a better job is not offering a solution. Perhaps ranked VIP members, say guru and above, could have first dibs and would be required to test and score these, provide assistance to builders and help take some of the weight here.
@izzie said:
EDIT: mea culpa, saying the possibly already overstretched HTB tester should do a better job is not offering a solution. Perhaps ranked VIP members, say guru and above, could have first dibs and would be required to test and score these, provide assistance to builders and help take some of the weight here.
I like it. That’s a very good idea in principle! Say if anyone in the top 50 could volunteer to forfeit the bloods/points for a box and they get the chance to contribute to testing and QC and make HTB even better. They could even earn extra contributor badges if they want.
However, the biggest issue I see with that is one of trust. I mean, we are all hackers here right. That system could be totally gamed to monopolize the leader board if a larger percentage of players have pre-release details of how boxes can be completed.
Maybe if they agree to be dropped out of the top 100 perhaps. but get a special status as a valued contributor…
I don’t know, it needs more thought…
As far as differing opinions of boxes goes. Imho the disparity can perhaps come from the fact that the tester is able to speak to the creator and understand the intent better than the community that try to complete it competitively at release time and having to work it out for themselves. The psychological process is different.
I’m not trying to attack you. I think we just see it differently. That’s pretty much my main point here.
I encourage anyone to build a box and submit it. Then you will have a full insight into the process. It took many months of volunteering my free time on each of my submissions to try to get them balanced just as intended.
I think people that haven’t tried to do it themselves sometimes don’t realize how hard it can be to make a box exploitable in a very specific way that’s both fun and educational. Making sure to avoid all the unintended paths to root/system along the way.
Anyway,
All the best to everyone here,
We are all HTB.
@3mrgnc3 said:
However, the biggest issue I see with that is one of trust. I mean, we are all hackers here right. That system could be totally gamed to monopolize the leader board if a larger percentage of players have pre-release details of how boxes can be completed.
If the volunteers for testing agreed to be ineligible for bloods, no gaming of the leader board would be possible*. The testers would get the same base points as everyone else for owning a machine and that’s it. Once you’re at max rank (100% ownership) the only way to move up the chain is to get bloods because of the extra points that are awarded.
Edit: See the bottom of my post. There are indeed gaming issues, but it wouldn’t be from testers getting base points for owning machines.
You can see this in action if you compare the point breakdowns for no0ne and and arkantolo (I’m not @'ing them in case they don’t want to be involved with this):
https://www.hackthebox.eu/home/users/points/21927
https://www.hackthebox.eu/home/users/points/1183
Those 18 points that no0ne is ahead by are directly from user bloods, of which he has two more than arkantolo.
There’d be no need to derank anyone or anything of that nature if you simply removed the ability to score bloods by people who’ve officially tested the box.
And although someone holding a top spot would be able to sit there for a while longer if they did indeed receive the base points from a machine, eventually they would be passed up by non-testers getting bloods, but they’d stay generally where they belong on the HoF.
None of this prevents people holding the top spots from gaming the system by REFUSING to test, either. Or testers leaking details to their non-tester buddies going for bloods, etc.
There’s a whole host of trust issues here, admittedly, but deranking people isn’t going to solve any of them.
Hey @opt1kz
You make some good points.
How about this one?
If in oder to reach maximum rank/completeness each htb member has to submit and have accepted a box of there own.
Then they only get maximum rank if it gets the +1 praise from over 85% who complete it?
Then the most experienced and skilled people can teach and share the skills and insights they have aquired with the rest of the community, and everyone benefits from it.
What are your thoughts on this?
You make some good points.
How about this one?
If in oder to reach maximum rank/completeness each htb member has to submit and have accepted a box of there own.Then they only get maximum rank if it gets the +1 praise from over 85% who complete it?
Then the most experienced and skilled people can teach everyone how its done?
Sound good?
?
I wasn’t involved in the debate surrounding percentages/upvotes, nor am I going to get dragged into it. I was merely responding to something you pointed out and, for the most part, agreeing with you. You seem a little upset, all things considered, pumpkin.
Nice bait attempt, though.
As someone who has made and tested quite a few boxes on the HTB platform I can tell you first of all, creating box that is unique, interesting, challenging and realistic is very difficult. In the boxes I’ve made I try to keep them as realistic as I can, based on things I have seen in the real world performing assessments but CTF-ish elements will inherently creep sometimes to spice things up or be able to pull off exploitation of a real issue that got a ton of attention (see the Valentine machine).
That being said, we do strive to release a mix of boxes but it is not always possible to please everybody. I do like the idea of having a marker next to each box denoting whether it is more CTF or more “real-world”.
As I said and others in this thread have stated, making a box is not an easy task and many out there may not have the time, resources of know-how to create one.
If there were a way for the community to submit box ideas, not just completed boxes would that be of interest? Not just submitting a comment such as “make a box that has X” but rather a decently detailed narrative and I could foresee us mods taking realistic ideas and then working internally to create the boxes, giving credit to whoever submitted the idea (not replacing box submissions from the community, just another way to enhance things). The community has grown in such a way that we can not make every box internally every week so we rely on submissions from you all to keep things varied and interesting.
In summary, building a box with a set path is not easy, building something nearly 100% realistic and challenging is even more difficult. We welcome all ideas and feedback, so, what are your thoughts on this?
@opt1kz said:
I wasn’t involved in the debate surrounding percentages/upvotes, nor am I going to get dragged into it. I was merely responding to something you pointed out and, for the most part, agreeing with you. You seem a little upset, all things considered, pumpkin.Nice bait attempt, though.
No buddy,
I was being serious with that suggestion. Not upset. I suppose it’s hard to translate that just via text sometimes. I guess we each read things with our own voice and emotion.
I’m grateful you started the thread.
Honest feedback is useful.
Love you all.
?
3mrgnc3
I’ve been playing HTB for 549 days according to my profile. I have loved every box/challenge I have ever been lucky enough to complete and am grateful to the machine creators for making. I’m also grateful and forever indebted to ch4p and the HTB team for providing this wonderful platform for the community to sharpen their skills on. I don’t think there is a box I’ve done where I haven’t learnt a thing or two. HTB has taught me so much, it allowed me to start online friendships with like minded people, and it even played a small part in landing me a decent gig in offensive security.
Most of the people complaining about recent boxes seem to be fairly new and came along before HTB became a commercial entity i.e. before VIP existed, before machines were retired, before job ads were posted and before sponsors were displayed on the front page. Maybe this commercialization of the community was the catalyst in the rise of these current self-entitled opinions?
Some advice to those who are unhappy with the current state of boxes:
- if you want to do OSCP like boxes, fork out for VIP and do the retired machines created by ch4p - though maybe exclude brainfuck (which is still one of my favourites)
- “Real world” external engagements generally have ‘slim pickens’ and if you are lucky enough to gain access, it is usually via default creds / password attacks against users i.e. boring - and you don’t learn a thing.
- Want full real world webapp simulation? Go play bounties.
- It helps to look at each machine as a jigsaw puzzle rather than just searching software versions and banners looking for edb exploits. As always, enumeration is key. If you dig far enough you’ll end up finding something. It’s a vulnerable machine after-all, its whole purpose is to be pwn’t.
Finally, some of my favourite boxes that I highly recommend:
- Beep
- Popcorn
- ■■■■■■■
- Brainfuck
- Holiday
- Cronos
- Europa
- Jail
- Joker
- Mantis
- Kotarak
- Hawk
- Bart
- Ariekei
- Crimestoppers
- Fulcrum
- Reddish
- Carrier
Just to name a few. If you feel betrayed after doing a recent box, go do one of the above, you won’t regret it. It’ll add 10 years to your life.
I totally agree with delo : so far what I’ve found in bounties and real world are xss: im probably too bad to find better:
@mrb3n : i love your boxes 
@delo said:
I’ve been playing HTB for 549 days according to my profile. I have loved every box/challenge I have ever been lucky enough to complete and am grateful to the machine creators for making. I’m also grateful and forever indebted to ch4p and the HTB team for providing this wonderful platform for the community to sharpen their skills on. I don’t think there is a box I’ve done where I haven’t learnt a thing or two. HTB has taught me so much, it allowed me to start online friendships with like minded people, and it even played a small part in landing me a decent gig in offensive security.Most of the people complaining about recent boxes seem to be fairly new and came along before HTB became a commercial entity i.e. before VIP existed, before machines were retired, before job ads were posted and before sponsors were displayed on the front page. Maybe this commercialization of the community was the catalyst in the rise of these current self-entitled opinions?
Some advice to those who are unhappy with the current state of boxes:
- if you want to do OSCP like boxes, fork out for VIP and do the retired machines created by ch4p - though maybe exclude brainfuck (which is still one of my favourites)
- “Real world” external engagements generally have ‘slim pickens’ and if you are lucky enough to gain access, it is usually via default creds / password attacks against users i.e. boring - and you don’t learn a thing.
- Want full real world webapp simulation? Go play bounties.
- It helps to look at each machine as a jigsaw puzzle rather than just searching software versions and banners looking for edb exploits. As always, enumeration is key. If you dig far enough you’ll end up finding something. It’s a vulnerable machine after-all, its whole purpose is to be pwn’t.
Finally, some of my favourite boxes that I highly recommend:
- Beep
- Popcorn
- ■■■■■■■
- Brainfuck
- Holiday
- Cronos
- Europa
- Jail
- Joker
- Mantis
- Kotarak
- Hawk
- Bart
- Ariekei
- Crimestoppers
- Fulcrum
- Reddish
- Carrier
Just to name a few. If you feel betrayed after doing a recent box, go do one of the above, you won’t regret it. It’ll add 10 years to your life.
??
Just throwing my 2p worth of IMHO feels into the debate.
First off, I agree with @opt1kz here. I think over the last couple of months there has been a trend towards more boxes with a more narrative exploitation path.
I think it is great to have some boxes which need “creativity” to solve, but there is already a lot of that out on the internet (VulnHub, Challenges etc). Of the people I personally know in real life who are on HTB, 10% have given up on HTB as a result of the recent boxes (admittedly that is only 3 people) and one cancelled their VIP sub.
It is true that HTB owes us nothing and, given that it is effectively a free platform, we can’t demand our money back. However, that (IMHO remember) spectacularly misses the point. People who like HTB, who enjoy being here, who are active on the forums and want to help new people, want HTB to be better. Criticising a trend (current or not, cyclical or not) is trying to make it better, not being butthurt and wanting to bail elsewhere. I like spending time on HTB, but I am only going to do it if it is both rewarding and enjoyable. This is not a comment on how others want to spend their time. If you enjoy hacking a box by googling esoteric facts, go for it.
Voicing an opinion about HTB isn’t “self-entitled” by any stretch of the imagination and it is no less (or more) valid than an opinion that people should do other things like bounty hunting.
For me, the attraction to HTB over any other platform was that it veered towards the “methodology” more - I like this because it helps reinforce processes, moves away from what is often a cultural “guess” reference and gives people wanting to learn about pentesting/redteaming/whatever a way to learn something useful.
If it doesn’t offer that, is destined to become vulnhub with a scoreboard and any attempt to argue against that is bad, then fine, I will stick to vulnhub for free. The scoreboard is at best an ego massage which I can live without.
Thank you.
@mrb3n said:
As someone who has made and tested quite a few boxes on the HTB platform I can tell you first of all, creating box that is unique, interesting, challenging and realistic is very difficult. In the boxes I’ve made I try to keep them as realistic as I can, based on things I have seen in the real world performing assessments but CTF-ish elements will inherently creep sometimes to spice things up or be able to pull off exploitation of a real issue that got a ton of attention (see the Valentine machine).That being said, we do strive to release a mix of boxes but it is not always possible to please everybody. I do like the idea of having a marker next to each box denoting whether it is more CTF or more “real-world”.
Things shouldn’t be creeping into builds? Its very much a matter of opinion whether CTF elements spice things up. I think trollish boxes requiring essentially irrelevant, non-technical insider knowledge create very negative learning experiences.
The membership are not here for the entertainment of a few individuals.
There is trolling and there is trolling. Mischief was by design meant to be trollish, but was a very popular box (see stats earlier). Maddening at times but very entertaining. Likewise Rabbit, you just knew there would be traps. Hilarious, it was great fun. I’m sure people don’t mind a few CTF elements but guessing passwords making noobs DDoS the ■■■■ out of the boxes making them unusable just causes grief all round. Remember Jerry?
Designing boxen that just do not stand up on the available infrastructure or provide inconsistent results. Just no.
As I said and others in this thread have stated, making a box is not an easy task and many out there may not have the time, resources of know-how to create one.
If there were a way for the community to submit box ideas, not just completed boxes would that be of interest? Not just submitting a comment such as “make a box that has X” but rather a decently detailed narrative and I could foresee us mods taking realistic ideas and then working internally to create the boxes, giving credit to whoever submitted the idea (not replacing box submissions from the community, just another way to enhance things). The community has grown in such a way that we can not make every box internally every week so we rely on submissions from you all to keep things varied and interesting.
In summary, building a box with a set path is not easy, building something nearly 100% realistic and challenging is even more difficult. We welcome all ideas and feedback, so, what are your thoughts on this?
I am on record as saying making and testing boxen to a good standard must be
rock hard
You guys do an amazing job: on the whole you can see that the quality is excellent, approvals in 90%. But the bad apples really stand out.
I appreciate that resources are limited which is why I suggested that say JET tiers should pay a little back to the community by helping out with supporting box makers with advice, rating, testing boxes. (And no I don’t think they should be punished for helping either funnily enough).
This might help first time designers most. Some of those bad apples could be really sweet!
Obviously looking forward to more submissions from popular box designers too but as mrh4sh said there is a queue of people waiting why not give some of them a go? You might even have time to do another yourself! 
@delo said: Maybe this commercialization of the community was the catalyst in the rise of these current self-entitled opinions?
All users are equal.
I’m sure free users are monetized just the same. This ‘■■■■ off if you don’t like it’ attitude is toxic. What you are hearing is what a few are saying publicly, constructively. Many more have expressed privately gratitude and a fear of speaking out.
There is absolutely nothing wrong with members voicing their opinions, trying to raise standards, don’t need to dismissed as self-entitled, told to go play in the sandpit.
The stats show that recently SOME boxes have been poor by comparison with these older boxes. Most people who have been around long enough would say they are a lot harder too. Not necessarily a bad thing.
Dear HTB Community
For the record everyone,
Anyone can feel free to DM me with constructive feedback (no abusive profanity filled rants please though) on ANY boxes I author once they complete them. Some people already have many times.
I will listen to your point of view. I will listen to you, and hope you allow me to put accross my thinking behind what I was trying to achieve. We can discuss it in a positive frame of mind, I want to improve and go on creating boxes for the benefit of the community purely because I enjoy and learn from it.
I don’t publish boxes to try to be 1337 (I’m so so not).
I love you all
3mrgnc3
@delo said:
if you want to do OSCP like boxes, fork out for VIP and do the retired machines created by ch4p - though maybe exclude brainfuck (which is still one of my favourites)
Realistic does not mean mirroring the OSCP environment. Nobody has said or asked for any such thing. Several people have said they’re here preparing for OSCP, but not one person has said, “I want a copy of the lab environment I already have access to!”
@delo said:
“Real world” external engagements generally have ‘slim pickens’ and if you are lucky enough to gain access, it is usually via default creds / password attacks against users i.e. boring - and you don’t learn a thing.
See:
re-al-ism
noun
the quality or fact of representing a person, thing, or situation accurately or in a way that is true to life.
As in, not having to go searching for critical files hidden in l33t_d1r_7h47_w0u1d_n3v3r_3x1s7 and other CTF elements that you would only ever see in CTFs. You don’t learn anything from that, either. There needs to be a healthy balance. It’s really not a difficult concept to grasp.
@delo said:
Want full real world webapp simulation? Go play bounties.
Yet another thing that nobody has alluded to. Not only that, but you can teach people web app vulnerabilities beyond LFI/RFI and SQLi (99% of what we see on this platform) without having to write a full-blown, custom CMS or being lazy and tossing up a vulnerable WordPress plugin.
@delo said:
It helps to look at each machine as a jigsaw puzzle rather than just searching software versions and banners looking for edb exploits.
“Everyone who’s complaining is just looking to pop easy shells with public exploits”.
First: Yeah, no. Try again.
Second: There are jigsaw puzzles and then there are jump-through-idiotic-nonsensical-hoops-just-because puzzles. Can you guess which of these two things people in this thread are complaining about?
@3mrgnc3 said:
Dear HTB CommunityFor the record everyone,
Anyone can feel free to DM me with constructive feedback (no abusive profanity filled rants please though) on ANY boxes I author once they complete them. Some people already have many times.
I will listen to your point of view. I will listen to you, and hope you allow me to put accross my thinking behind what I was trying to achieve. We can discuss it in a positive frame of mind, I want to improve and go on creating boxes for the benefit of the community purely because I enjoy and learn from it.
I don’t publish boxes to try to be 1337 (I’m so so not).
I love you all
3mrgnc3
Look mate I know someone made the mistake of saying this thread is about you? It really isn’t. And nobody should be sending anybody abuse profanity ridden or otherwise, privately or otherwise.
Just point at the problem. Suggest a solution. Don’t get mad when you don’t get your little way. Work hard. Be kind.
I don’t know where all this ‘no foruming in the forum’ is coming from? The community belongs to everyone regardless of rank, experience, ability, longevity.
Hello everyone, I have been following this conversation, I really liked @3mrgnc3 suggestion, basically, I loved it because I love graphs and I believe that indeed the user should know what to expect before trying a machine (without giving away part of the solution).
Its already half-way coded, sample below, @3mrgnc3 I hope it meets your expectations 
@ch4p said:
Hello everyone, I have been following this conversation, I really liked @3mrgnc3 suggestion, basically, I loved it because I love graphs and I believe that indeed the user should know what to expect before trying a machine (without giving away part of the solution).Its already half-way coded, sample below, @3mrgnc3 I hope it meets your expectations
I must’ve missed @3mrgnc3’s suggestion on this, but I just went back and saw it. I like it too. It’s pretty spiffy. Nice visualization.
However, I don’t think it addresses the core issue that this thread is based around; that of having too many “heavily” CTF boxes being submitted/approved. It gives people some forewarning before jumping into a box, sure, but that’s about it.
Note that I’m not trying to detract from new features being added. I honestly like the looks of this one.
@ch4p said:
Hello everyone, I have been following this conversation, I really liked @3mrgnc3 suggestion, basically, I loved it because I love graphs and I believe that indeed the user should know what to expect before trying a machine (without giving away part of the solution).Its already half-way coded, sample below, @3mrgnc3 I hope it meets your expectations
Thank you ch4p. I think it’s a welcome addition and it fits nicely with the feedback throughout the discussions in the thread. I appreciate you taking the time to implement this kind of change which will add further value to the platform as a whole.