Vote for machines to auto-revert when a valid root.txt hash is submitted

If people leave sensitve info in logs/dirs when they’ve been rooting boxes, and don’t revert the box. It spoils it for others.
I vote that boxes should auto revert when someone submits a valit root.txt hash!
This will eliminate this issue on the saturated public vpn boxes.
As I see it. some of the boxes are being solved via this shortcut because of people not cleaning up and also not being able to revert the box with their free account.
What do people think about that?

partly the reason for me going to vip. allot of other reasons to but that is one of them.

I agree. I think it is wise to think about a mechanism to avoid passing precious info to people that want to learn and solve the puzzle by themselves.

I’m torn on this one. Running on eu_free can be challenging enough; people DoS’ing it with unnecessary bruteforces or reverting for really no reason. Maybe an option where the machine developer can flag the box as needing a revert after root.txt since not all of them leave a trail to root?

@excidium said:
I’m torn on this one. Running on eu_free can be challenging enough; people DoS’ing it with unnecessary bruteforces or reverting for really no reason. Maybe an option where the machine developer can flag the box as needing a revert after root.txt since not all of them leave a trail to root?

might be wiser indeed

@excidium said:
I’m torn on this one. Running on eu_free can be challenging enough; people DoS’ing it with unnecessary bruteforces or reverting for really no reason. Maybe an option where the machine developer can flag the box as needing a revert after root.txt since not all of them leave a trail to root?

That’s an interesting idea.

I tend to tidy up a bit as I go. So any files I upload will be deleted once I’ve used them etc.

But I know I’ve piggybacked on others without realising before. Immediate reset after root is a good idea but I think the free server will struggle. I have been working on boxes before that 5 or 6 others have been doing which is hard enough. But it reverting everytime someone roots it would be annoying.

Something else that should be considered - what about boxes like chatterbox? e.g. boxes where if you send a wrong payload you might corrupt that specific service (which will then require you to revert)

edit: I might have misunderstood the proposition - is this for reverts after a submission of root.txt in addition to the current setup?

I don’t think after every root.txt because that could potentially get ridiculous on some of the “high visibility” boxes, but I think (maybe) automatic periodic resets could be implemented? I agree sometimes there are times were you can cheat root.txt from someone else work, this is why I try to clean up after I complete a box.

(I won’t lie though, there are a few boxes where people not cleaning up is extremely handy. I’ve never said no to a free hint. :slight_smile: )

The fact that HTB has job application options based on your rank/score, will naturally lead to people being incentivised to get all the flags by any means they can.
leaving the possibility open for spoilers to be frequently left lying around just seems foolish to me. If the idea is that people gain points on their own merit. Why not implement an auto-revert feature?

@3mrgnc3 said:
The fact that HTB has job application options based on your rank/score, will naturally lead to people being incentivised to get all the flags by any means they can.
leaving the possibility open for spoilers to be frequently left lying around just seems foolish to me. If the idea is that people gain points on their own merit. Why not implement an auto-revert feature?

I think the people who are trying to ‘abuse’ the system to up their rank to get the jobs that the HTB sponsors provide are only going to do themselves a disservice. I personally believe any competent security person is going to know when you are bullshitting them. When they go into these interviews with their less than honest leet HTB hacker rank, they are only going to embarrass themselves.

But I see where you are coming from, I like the methodology that HTB provides for the CTF challenges where it spins you up a private temporary instance, although that is certainly not economical to provide for a free service, especially with the massive influx of new users.

Another issue with auto-reverts is that you will get trolls in the shoutbox who cancel every person’s reverts for hours.

@onlyamedic said:

@3mrgnc3 said:
The fact that HTB has job application options based on your rank/score, will naturally lead to people being incentivised to get all the flags by any means they can.
leaving the possibility open for spoilers to be frequently left lying around just seems foolish to me. If the idea is that people gain points on their own merit. Why not implement an auto-revert feature?

I think the people who are trying to ‘abuse’ the system to up their rank to get the jobs that the HTB sponsors provide are only going to do themselves a disservice. I personally believe any competent security person is going to know when you are bullshitting them. When they go into these interviews with their less than honest leet HTB hacker rank, they are only going to embarrass themselves.

But I see where you are coming from, I like the methodology that HTB provides for the CTF challenges where it spins you up a private temporary instance, although that is certainly not economical to provide for a free service, especially with the massive influx of new users.

Another issue with auto-reverts is that you will get trolls in the shoutbox who cancel every person’s reverts for hours.

you make some very good points.
I agree with you 1st point. Its just that I think it would be great if the ranking system can be as free from abuse as possible in order to give a good representation of what all member’s skill levels are really like.

People trolling is a valid concert too. However, the auto reverts a few minutes after a root hash submission could be exempt from resets though. couldn’t they?

@drtychai said:
Something else that should be considered - what about boxes like chatterbox? e.g. boxes where if you send a wrong payload you might corrupt that specific service (which will then require you to revert)

edit: I might have misunderstood the proposition - is this for reverts after a submission of root.txt in addition to the current setup?

yes, but its just my 2 cents worth… I have no power :smiley:

People would be able to abuse current limit of reverts. Have a friend who got root? Ask him to root machine and get free revert.

@Thun said:
People would be able to abuse current limit of reverts. Have a friend who got root? Ask him to root machine and get free revert.

Am I the only one who doesn’t save root flags when i finish the box lol…

I’m generally in favor of this I’ve spoiled one or two boxes from other users data not a huge issue on VIP but still happens. I manually reset every box when I finish it simply to ensure I don’t leave things behind so automating that seems like a good idea to me…

And on topic of Trolls if you don’t allow /cancel on root based resets they can’t stop and unless I’m grossly mistaken same user cannot resubmit the key to spam resets.

I’ve submitted a link to this discussion thread to the HTB feedback form as a suggested feature request.

Feel free to do the same or continue to add any pros/cons here for consideration by the HTB admins/mods

Cheers,

3mrgnc3. :wink:

It be nice if there was a time limit after a reset was canceled for another one can issued… The other day I was looking at the root.txt file while somebody was continuously hammering the reset button and managed to reset it before I could cat the file… I mean it only took me a couple minutes but it was still frustrating…even just 2-3 minutes

I believe this would be a useful feature. With a new box it may be more disrupting for everyone trying to do the new ones, so depending on historical stats maybe after the first busy days or week when released? Personally I reset a box when done.

On the other hand, more than once you find files or traces of users that are working on it at the same time. And it may technically and economically not be a desired solution on a free service. But I vote yay.

I always clean up when I am done. I also have benefited from paying attention to what is available and arguably that is part of the enumeration to exploitation process (or a great way into a very deep rabbit hole)! However, I am in favor of the auto reset upon submission of root.txt, but it would need to be throttled for once every 10 - 30 minutes. Otherwise, someone could just keep submitting the hash over and over.

@dakkmaddy said:
I always clean up when I am done. I also have benefited from paying attention to what is available and arguably that is part of the enumeration to exploitation process (or a great way into a very deep rabbit hole)! However, I am in favor of the auto reset upon submission of root.txt, but it would need to be throttled for once every 10 - 30 minutes. Otherwise, someone could just keep submitting the hash over and over.

Afaik once you submit a valid hash you can’t submit it again. ?