I saw the thread the other day about how root flags will be dynamic now so people can’t share them. But obviously we normally use the root flag to protect write ups for live machines.
Everyone seems to agree that its good to read other people’s write ups once you’ve completed a machine to see how they did it differently, and we don’t want to wait months to do that.
So what’s the official answer to this problem? Do we just use the admin password as the password for our write ups? I think that idea was mentioned in the original thread but I don’t think it was given as like a definite instruction saying that’s what we should do. What has everyone else been doing?
I dont think there is a good answer yet - other than, for now , write ups are dead.
The admin password of the box is only an option for some boxes. Quite a few of them are rooted without ever finding it. Quite a few boxes are rooted by an exploit exposing the flag and nothing else. Take the retired box RE, for example, getting the admin password is basically getting the user flag. You never get the final password.
I get that this is a valid decision by HTB, who are keen to present rank/score as something with value but, for me, it does reduce the value & fun of HTB.
yeah good point, and you’re right it is quite a big hit to the amount you can learn from HTB.
The best solution would be for them to allow us to submit write ups for live machines but make them only accessible to people who have submitted a valid root flag for that machine. Seems like they already have everything you’d need for that too. The site can obviously tell if you’ve owned a machine, and already has the ability to store write ups for each machine (but only for retired boxes at the moment). Really hope they can implement this some time soon
They’re not suggesting to get the admin password, but the use the hash of the root or administrator password. If you have root access to the machine, you can simply cat out the shadow file to get it, even if you don’t necessarily need the root password to root the machine. I don’t know where to find that hash on a windows system, but should just be a quick Google search to learn that, I guess…
I think HTB should let us submit our writeups, which can be seen whenever anyone owns root for the machine. Just like what they are doing for retired machines but now even for owned machines!
They’re not suggesting to get the admin password, but the use the hash of the root or administrator password. If you have root access to the machine, you can simply cat out the shadow file to get it, even if you don’t necessarily need the root password to root the machine. I don’t know where to find that hash on a windows system, but should just be a quick Google search to learn that, I guess…
While this would be a better alternative (for boxes where it is possible to do this and it doesnt break the box early - remember, RE you pretty much have admin access to get the user flag, the root flag is harder to get), from HTB’s point of view it doesn’t really solve the sharing problem. People can just share the hash then read the writeups and get the flag.
They’re not suggesting to get the admin password, but the use the hash of the root or administrator password. If you have root access to the machine, you can simply cat out the shadow file to get it, even if you don’t necessarily need the root password to root the machine. I don’t know where to find that hash on a windows system, but should just be a quick Google search to learn that, I guess…
While this would be a better alternative (for boxes where it is possible to do this and it doesnt break the box early - remember, RE you pretty much have admin access to get the user flag, the root flag is harder to get), from HTB’s point of view it doesn’t really solve the sharing problem. People can just share the hash then read the writeups and get the flag.
Not to distract from the actual conversation here, but I’m confused by the idea that you needed admin access to get the user flag on RE. I’d be really curious to hear how you solved, if you don’t mind reaching out.
@TazWake said:
While this would be a better alternative (for boxes where it is possible to do this and it doesnt break the box early - remember, RE you pretty much have admin access to get the user flag, the root flag is harder to get), from HTB’s point of view it doesn’t really solve the sharing problem. People can just share the hash then read the writeups and get the flag.
Sorry, can’t say anything about RE, haven’t done it yet.
And yeah, it doesn’t solve HTB’s problem at all. But to be honest, I personally think it is a none-problem. If people want to cheat, they will always find a way. And in the end they are cheating themselves. This website is (at least in my opinion) mainly an opportunity to learn and not to gather points… and if you don’t want to learn, then you’re only wasting your own time.
Still, rotating the flags seems like a reasonable idea to discourage “easy cheating”, like when you’re frustrated or so. And at least after sharing the hash you would still have to complete the steps of a walkthrough and maybe at least learn a little bit…
Not to distract from the actual conversation here, but I’m confused by the idea that you needed admin access to get the user flag on RE. I’d be really curious to hear how you solved, if you don’t mind reaching out.
Its a retired box so it’s not so really a spoiler now. You dont need admin to get the user flag but when you are running as NT AUTHORITY\SYSTEM, you cant read the root flag. You can get the admin password hash easier than you can get the root flag - which was the clumsy point.
But to be honest, I personally think it is a none-problem. If people want to cheat, they will always find a way. And in the end they are cheating themselves. This website is (at least in my opinion) mainly an opportunity to learn and not to gather points… and if you don’t want to learn, then you’re only wasting your own time.
I would like to expand on VbScrub’s idea for people wanting to use their blog.
We could still have in place the same root flag string to unlock the write-ups, but each box and for each reset, the flags will have some extra random hex _string to be submitted to the platform.
Expanding on @d4rk3r 's idea, perhaps they could implement a system such that when you submit your root flag, you then get access to a special hash from HTB that is specific to that machine. It still has the same risks as before, but this way HTB can regulate who they give it to?
TL;DR: have HTB give people the hash to people who own it instead of having it readily available on the compromised machine.
Expanding on @d4rk3r 's idea, perhaps they could implement a system such that when you submit your root flag, you then get access to a special hash from HTB that is specific to that machine. It still has the same risks as before, but this way HTB can regulate who they give it to?
TL;DR: have HTB give people the hash to people who own it instead of having it readily available on the compromised machine.
Yeah that would work. Just have it give you a new special code/hash when you submit a valid root flag. Then that special code can be used to unlock write ups etc but it doesn’t actually work as a flag to be submitted
Got a PM from a moderator saying they already suggested what we should do for write ups in the original article about these changes. But that doesn’t seem to solve any of the issues TazWake brought up, and the fact that the Github page where most write ups were posted is now saying they won’t accept any write ups for live machines due to the new changes
About the idea with the Administator password hashes… does anybody know what to use on Windows machines/where to find the hash? As far as I understand, it’s in the SAM file that can only be accessed when the system is not booted up…?
@nyckelharpa said:
About the idea with the Administator password hashes… does anybody know what to use on Windows machines/where to find the hash? As far as I understand, it’s in the SAM file that can only be accessed when the system is not booted up…?
On a running machine, it can be accessed via Volume Shadow Services, but it’s a tad bit impractical. Especially here on HTB, where some machines get reset at a 2 minute interval
One of the problem as well is that writeups are also stored on github.com. I am not sure if they still are, but I saw it like a half year ago. They’re uploaded in a .pdf format, but in order to read you’re prompted to enter password - i.e root flag.
Seems like writeups are going to be removed from github if we go this way. And yeah, it’s good to synchronize writeups only with this site, fairly. Check if a user has rooted a box and give them access to read it. It’s pretty simple, no reasons to make hysterical threads here.
