Rank Distribution

Just wondering if anyone else is curious about this and whether it has been posted as a discussion topic already. Are there approximate distribution stats around the number of HTB users at each rank? For example, 50% are n00b, 30% are script kiddle, 10% are hacker, etc. Obviously, it changes over time, but general sense of this distribution would be really cool to know. (The HTB folks could easily argue that this is none of my business. I totally understand that.)

Maybe we could try to guess the actual distribution. If this is all posted somewhere else, let me know!

It is interesting - not sure if I’ve ever seen it discussed or answered before though.

Thanks for commenting @TazWake . What percentage of users do you think are at your level? … if you were to guess.

@c0nsid3rate, if forced to guess, I’d say around 20% of the total signed up users, but I think it would be around 10% of the regularly active users.

There are few things which muddy the statistics (but, to be clear, I’d love to know so if you ever work out how to get the data I am definitely interested):

For example: There isn’t a consistent level of effort needed to rank-up and until about a year ago, the challenges were static and there were less of them. This means that in about 2018 you could get to Omniscient with a lower total number flags than if you tried it today. Also, there are phases when boxes are just stupidly difficult and no one is levelling up for a while.

Secondly, activity levels drop off. A lot of people get to a rank then move on and stop being active here. It would be interesting to see how this compares to how many new people sign up over the same time period.

Using my own time here to explain:

I signed up in mid-2018 and got super involved, spending a lot of time here. By Jan 2019, I’d made it to Guru, but largely because they don’t release boxes as often over Christmas. However, I also found boxes were being released which I really struggled with (some because I am a dumbass, some were just to guess-the-path for me) and the challenges were defeating me.

As a result I pretty much gave up for about 9 - 10 months with only sporadic activity. Then in December 2019 a friend set a challenge and we both dived back in.

Now I really struggle with some techniques (such as BinExp) but by sheer luck, almost nothing in Dec/Jan needed this and I could find a way to solve the few bits which did. Combined with the slower release schedule over Christmas, this meant I managed to get to Omniscient.

If I was in a similar situation today, with the challenges rotating weekly and boxes like RopeTwo existing, I simply wouldn’t be able to get to Omniscient. Realistically, if you can do it today, while we may have the same “rank title”, you are much better at this than I am.

So you bring up some great points and have made me want to look at the data a little differently. I’d like to ask, of people who received a new rank within the last six months, what percentage were at each level? And then do the same for a period much further back and compare. Also, of the people who have the highest rank, what percentage of those are from early days of Hack the Box? In other words, are new people entering the ranks of Omniscient at a much lower rate than they used to?

@sparkla this is why it would be nice to have approximate idea of the numbers. Would be interestimg to find out if Omniscient is more or less common than we think. Is it 40k or actually less than 1k…or somewhere in the middle? A basic histogram would do the trick, with actual user counts at each rank.

@sparkla said:

@TazWake is that really the numbers you meant: on the frontpage there’s close to 400k users, so you estimate around 40k users have made it to Omniescent?

Actually, that wouldn’t surprise me. If you were on the site in 2017, getting to Omniscient would have been a lot easier (not an ideal choice of words but the best I can think of). While there were fewer users, there were fewer challenges and possibly fewer boxes - you could get blood in 20 days for boxes which would probably be 1-2 hours now.

I can say from experience, getting to Omniscient 8 months ago was a lot easier than it is today and I really believe that is true going back in time. Getting Omni in August 2018 would have been easier than it is today.

The level of competition is much higher now on all counts. If you joined HTB today and dropped 2 boxes a week, it would take about 4 months just to get all the boxes. Then you have 134 challenges to consider. 8 months ago I think there were about 60 challenges in total and most were from the first days of HTB.

Until this year, getting to Omniscient was much more time-based. Challenges never expired so you could do a few and move on, concentrating on boxes. Now hitting that 100% coverage is significantly harder because every week two things change. Realistically, getting to Omni now is close to a full time effort - but that wasn’t always the case. I got to Guru in 2018 with a few hours a week effort. It takes me much more than that now and I cant even keep up with the current boxes.

And getting into the Top 100 is really hard now as well…

@c0nsid3rate - I do think this would be fascinating. I know HTB have an API (there is a key on your user settings page) but I don’t know what data it exposes. If you ever get in touch with them and build something I would 100% be interested in finding out what it offers.

@sparkla said:

The big question remains, WHY is HTB doing this? Judging from recent numbers, it seems I’m not the only one who isn’t particularly happy about this, more, harder, faster… crazy.

I cant speak for HTB, and their motivations remain as much a mystery to me as anyone else.

However, I suspect they are under significant pressure to keep the environment fresh. People who don’t care about ranks/levels want to see new content and the only way it can be delivered at all levels is to deliver lots of it.

HTB competitors can produce new boxes (or rooms) at quite a pace. I don’t think HTB wants to risk becoming seen as “stale.”

The lead time between submission and release doesn’t help.

I don’t wanna be mean or anything, but content-wise it has become sooo bad. If someone asked me today if I would do it again I’d probably respond “I rather saw off my own foot”.

Yeah, I suspect (and this is just a guess) that this is a periodic problem. As I said, in early 2019 I felt all the boxes were just “guess-the-esolang” boxes. In hindsight, I was probably wrong, but it meant me giving up on them all for a long time.

It seems there is a path here - People start off keen and excited, smashing boxes. Then after a while, they hit a rank where they’ve done the boxes that resonate and the ones that are left need a different way of thinking. The good news is that it really is temporary.

Going back to the lead time - this means that ideas tend to turn up in a group. For example, if something is popular, a few people will create a box about it. Then 9 months later the boxes are released but everyone has forgotten it and gets frustrated about how stupid it is, but a few boxes will be like that because they were also submitted 9 months ago.

Privesc on one of the active boxes is like that. It uses a stupid config error made public at the end of 2019. It’s likely that the author built the box when the exploit was in everyone’s minds, but now it just seems weird, unlikely and hard to google.

After my marathon-of-horrors to the Elite Rank I usually take a quick peak only into a new box and if it’s another one of their “Mystery Surprises” I run away as fast as I can.

Yeah - but it is a seasonal thing. If you have time read back on some of the threads around boxes like FluJab, Bighead, CTF etc (and they were some of the less-contentious ones).

There were a few which turned out to basically be the box creator trolling people, and lots which were basically an experiment in googling esoteric languages.

Sorry, lots of bashing, sure there is another side to this medal. HTB made me essentially a real pro hacker in less than a year. But where’s their original “Game” attitude? Learning by having fun? All that’s left is the label.

For me, the fun matters. If it isn’t fun, take a break for a while. I am constantly surprised that there are people with professional or educational obligations to do stuff here.

Although you will lose points and progress towards the next rank you dont lose the rank you are currently at.

This was a good example of feelings at the end of 2018: On the quality of recent boxes... — Hack The Box :: Forums

@TazWake very interesting about API key! I was definitely not aware of this. Yup, may or may not expose data. Still interesting, though.

@sparkla sorry about that. Thanks for idea. @TazWake thanks for knowing it exists.

@sparkla said:

That API thing was my proposition, didn’t know it exists.

Thanks for sharing, Taz. Not sure why you think HTB isn’t for professionals, if you dig into quite a few “my oscp path” writeups you’ll find lots of people failed, then turned to HTB and had an easy time afterwards.

I am fairly sure a lot of professional people who work in Security use HTB but that is a significantly different take.

If your job is to pwn boxes on HTB, then I’d be surprised. If your line manager says “You need to own X boxes to get a good appraisal this year”, IMHO your line manager is an as*hole.

I get that there are places where hiring managers etc demand people are at certain ranks but that is largely why you can buy the flags (in the old days) or write ups for boxes. This whole aspect of it is a farce.

HTB should be a fun place people go to practice certain skills.

Saying I want cert X so I will use HTB to practice is fine. Its part of the box. If you decide HTB sucks, you can try vulnhub, TryHackMe etc.

That’s my point though. People should be here because they enjoy it. When they stop enjoying it, they can go elsewhere.

Also good to know this happened before, but then why repeat the mistakes?

That is an awesome question but I don’t have an answer. A lot of people in that thread don’t seem to be active any more, so maybe it is just a natural process.

IMHO part of the problem is the desire to be “new” and “challenging.” Box creators think “Ah, it is too easy because everyone knows X, so I need to hide it” which - certainly in 2018 resulted in weird stego, esolang etc.

It turns out, it’s never as easy as the box creators think.

The few people who desperately need their fresh brainfuck, HTB cold just release some base info with those boxes, what everyone is gonna ask for nudges anyway, along with a new button “Mystery Mode” that hides the info and gives some extrapoints or a badge.

What I said before: As a player, when the BS starts at some point, you never know where it ends, and then struggle with the normal things as well. Who is really enjoying this stuff? I certainly don’t, it’s more of a feeling “why am I even doing this”, feeling trolled is the correct term.

Yeah - I know the feeling well. For me, that’s the sign that you need a break, let a few boxes go by and then try again.

In general, the “trolling” feeling seems to last for about 4-5 boxes but YMMV.

I don’t wanna drag ippsec into every other discussion yet if you look at recent videos even he has a hard time “explaining” how you could possibly find these things.

Again, I agree. There have been a couple where I’ve got though entirely by a lucky guess. It is possible that my guess was influenced by experience but it was still a guess. This annoys me a bit because we really need to be building our methodologies. Guessing a step kind of defeats it and only works because we know that a CTF has a definite path.

And there’s miles between that and some technically difficult stuff, that’s interesting and provided deepening of a topic, where every player gains from for the rest of his life.

Exactly. But I also get that it is super hard for the box creators to fit everyone’s needs and when push comes to shove, they will end up going for clever and exciting rather than methodological and useful.

For me, the challenges are where the weird stuff should go. If I am doing a stego challenge I don’t mind spending weeks trying to find an image.

If I am attacking a box, I don’t expect the admin password to be stego’d inside a random jpg on the home page for everyone to get. Not one bit of that makes sense.

On top if you start criticizing on brainfuck, people give you a hard time and the usual “you noob dont you know this? stop crying” crap.

Around Dec 18 / Jan 19 there were lots of heated debates here about boxes. Some were terrible (Frolic, FluJab) and some were very unpopular (BigHead).

I actually didn’t mind most of them, BigHead was what took me to Guru but FluJab made me give up for nearly six months and let my VIP lapse.

Around the time I was working closely with about 10 people who were active on HTB - all of them bailed as they got fed up with the boxes. Some have come back now though.

This has nothing to do with try harder. Get used to being trolled harder.

Yeah, but I don’t even like the “try harder” answer :smile:

@sparkla said:

I just didn’t want people who don’t know me to mistake that in my character or attitude.

Understandable but that would be their mistake, not yours.

@Taz, accept that HTB has become an important milestone in Sec careers and is a platform to learn pentesting aka hacking.

I have only very few real life examples to prove my points but I’m sure I’m right - and I still have those few examples. Like that recent OSCP giveaway box. I can do that drunk with both eyes closed now, 8 months ago I didn’t know what gobuster is. Or the OSCP writeups.

I think I am explaining myself badly here.

I 100% agree that HTB (and all the other CTF platforms) are very good places to learn for a cert or improve your professional skill. That is 100% the reason why I am here.

However, that is very different from saying they have to be here. If you are studying for OSCP, for example, you can use the Offensive Security Labs, VulnHub, TryHackMe etc., or any of countless other resources on the internet. Even finding links to them here doesn’t mean you have to be here.

By professional obligations, I mean that they have to be here, not that this is your chosen path to learn practical offensive security techniques. IMHO this is a really bad take and implies a business manager too lazy to develop their own staff and too cheap to pay for HTB to build a cyber range for their business.

As you can imagine I constantly encourage people to try this platform out, but it has to be fun for them. If they dont enjoy it, forcing them to churn through boxes is really, really bad management.

I know some amazing pentesters who deliver superb client-facing work, but struggle to get anywhere on the boxes here. I can do very well on boxes here but I am most certainly not a pentester. Saying to staff “You have to drop 1 box on HTB every week” is insane and pretty much the reason why people spend money to buy write ups.

And there’s another overlooked problem. Even though you kinda claim between the lines, if I’m not having fun with these BF boxes it’s my own problem and I should go away

That is a genuine misunderstanding. It is not what I am trying to claim.

I used the example of why I took a “break” in 2019 to show it happens to others and everyone has their own approach to deal with it.

The reality is the time involved in creating/approving boxes means that even if HTB listened to you right now and changed everything, it would be 3 - 4 months before different types of boxes made it through.

You have a choice here. Remain or take a break. Only you can decide which is the most tolerable. There is no value judgement on which you choose. It is entirely your life.

My point might be better stated as no matter what you do, there will be periods when the boxes here suck for you and change won’t happen quickly. If that means the site isn’t fun for you, then taking a break while it changes might be the better option, rather than doing something which isn’t fun and you aren’t being paid for.

There was no intention to attribute blame, responsibility etc.

(I disagree, fun is the responsibility of the vendor. Welcome to the world of gaming. And I’m not going anywhere.) - BF stops people from learning.

I agree and I agreed with Opt1kz in the previous thread.

I kind of understand why we go through periods of CTFy boxes but it doesn’t make it any better for people.

Whenever a BF box is up, writeups come flying by, people trade nudges like cigarettes after lunch, nobody seems to think for themselves anymore, and that is totally understandable. You don’t know where the BF / trolling stops and then don’t want to play anymore.

I agree with one caveat. People ask for nudges on every box, and I am kind of ok with that. Learning is learning, whatever the source.

This is like when I play a game with my kid and he starts making up his own rules “For this round you’re only allowed to move if I’m already richer than you”.

I know the feeling well and when I was a kid, this would often happen in games with other kids. When it did, sometimes the only solution was to stop playing until they agreed to make it fair again. This doesn’t mean its my fault the game was unfair, it meant it was no longer something I enjoyed enough to continue. Do you see the difference from your assumption I meant it was your problem?

I think, and I know I’m gonna get a lot of hate for this, BF boxes and the now unfair ranking feed the egos of a chosen few pretty well.

I dont think you should get hate for this, its a reasonable opinion to have.

For me, someone starting today has a significantly higher bar to reach $rank than I did when I started two years ago.

But this also hints at where the problem lies. The Rank/Score etc is just a game. Lots of people are taking it much too seriously when in reality all it reflects is your progress in this game. If someone thinks that being $rank on HTB reflects anything in the real world they are, simply, wrong.

@sparkla said:

P.S. @TazWake don’t waste your time with me, I know you’re cool. There’s no beef between us and I doubt there ever will be.

Dude, I never feel like I am wasting time with you. I like the discussions it generates and even if neither of us get anywhere with a topic, maybe someone else will.

@sparkla said:

Well, I don’t have a choice. I use pretty much all resources I can get / afford. Not sure what brings food to your table, rightnow my only hope is a new job in sec, cause I have 0 income since the human malware started, dept is staggering up and I had so little income before as a dev that I can’t expect another dev job to pay my dept.

Ok - and I get how this sucks. But to try and clarify what I meant - I am not saying stop learning/improving/progressing or anything. I meant more that if you aren’t enjoying/prorgessing on the boxes here (and the learning experience has stalled for you), then it might be worth going somewhere else for a short while.

I dont mean massive investments everywhere else either. For example, spend a couple of weeks on the free rooms on TryHackMe or the boxes on VulnHub or even OverTheWire.

I know what it feels like to be super frustrated.

I made my choice already an I’m thankful I could at least affort VIP. Not sure where it’s gonna take me, am I gonna buy another year or continue with active boxes? Probability is pretty low tbh, which is solely due to BF.

So this is exactly what happened to me in early 2019. While I was still learning bits on the boxes, the tedium of converting from Ook → B64 → Gzip → Rot13 → B64 → Brainfuck etc., made any learning no longer fun. Rather than continue to suffer while the problem was fixed - because it does get fixed, it just takes time - I went away for a while. I didn’t stop learning. I didn’t find a new career etc., I just chose a different path for a while. As you can see, I clearly came back…