19 Mar 2020
Since Hack The Box started back in 2017, the user base has grown massively, as has the fierce competition to gain positions in the Hall of Fame. Users’ profiles on Hack The Box are more frequently being seen as a testament to their skill by potential employers who review their user profile when evaluating them for a position. Due to the not-so-recent rise in the number of people found to be sharing flags, we have been working on some steps to mitigate this behaviour.
We thoroughly believe in the value of practical experience, but also understand that the allure of being ranked amongst the top members of Hack The Box can lead to some rather questionable activity, so we’d like to make it clear that while we have been observing flag sharing amongst all tiers of users within Hack The Box over the past few weeks, no action will be taken. We only ask that you return to the fundamental purpose of Hack The Box - practical experience.
This post will disclose what we have been working on, what it means for you as a user and what we will be doing going forward to further ensure the integrity of Hack The Box.Flag Rotation
Some time ago, a feature was developed to rotate flags between resets on Machines in the HTB labs. Unfortunately, the release of this feature was delayed due to a rather large migration project (which was recently completed). The last three HTB Machines released (Ouch, Multimaster and Traceback) have had this feature enabled, meaning every time they are reset, new User and Root flags are placed upon the box. These are unique per lab and are tracked alongside owns.
Up until now, we have allowed users to submit historic flags (flags which have at some point existed on the Machine), however, going forward this will no longer be the case. Should you attempt to submit a historic flag you've been holding on to for a while, or that someone else has shared with you, it will be rejected (and a record made of the attempt), as such we believe it is very important to say that when you get a flag, submit it immediately.
One query we get is regarding collaboration within teams. We have no issues with team members collaborating, that’s the whole purpose of being in a team, right? However, we suggest that team members do not simply wait for flags to be shared within the team, but rather follow along with the progress you each make during the process of owning the Machine. You are not guaranteed to be placed upon the same lab as the rest of your teammates, and a valid flag for them may not be valid for you.Lab Activity
We will be utilizing network information collected from the Labs and activity pertaining to Challenges, specifically whether or not a Challenge has ever been started or downloaded to verify legitimacy of each own. The information we collect is basic (source user ID, target machine/challenge ID and timestamps of observed interactions), but can give us a good understanding of how users interact with Machines and Challenges. While we will not be preventing users from owning Machines without any interaction, this is something we will be keeping a very close eye on, and will potentially implement further mitigations to prevent this kind of behaviour in the future.Protected Writeups
We are aware that some community groups share writeups protected by the Root flag of Machines - please know that this change will, unfortunately, prevent this. However, we believe that these writeups may still be locked down by using either the Root password hash (for Linux Machines) or the Administrator password hash (for Windows Machines).What’s Next
Moving forward, we will be working to enable Flag Rotation on all Machines. We will be closely monitoring the metrics we receive from observed flag sharing, and will continue to fight to preserve the integrity of Hack The Box, from a perspective of practical experience and competition, in order to retain the value of HTB player ranking.
We hope that this transparent announcement will show you that we have been working hard to improve Hack The Box and that these changes are unfortunately absolutely required to maintain a fair experience for everyone. Should you have any questions or feedback regarding these changes, please do not hesitate to reach out to us at [email protected]
Thank you and happy hacking!
Hack The Box Team