How to unlock WalkThroughs

Introduction

HackTheBox, and many other cybersecurity training platforms, don’t allow for public writeups/walkthroughs of active challenges or boxes. If you ask me, it really takes the fun away of doing a box if you just casually find during your research a howto on how to solve it. You can always “not look”, but still 😉.

To avoid flags being out in the open internet and availble to anyone, HTB designed a system of flag rotation. Box flags rotate with every reset of the machine, so the flags I get on my run won’t be the same you get, and one can’t submit flags that once existed on that box.

That being the case, writers needed something to protect writeups/walkthroughs of boxes and challenges, so it was determined (on the same news post linked above) to use the root or Administrator password hashes of the boxes itself, since that doesn’t change between resets.

In my blog I do just that, so here are some examples:

Linux / *BSD

For Linux, once you get root, you just need to check the /etc/shadow file in case it’s a Linux box, or /etc/master.passwd in case of a *BSD, for the root password hash:

# cat /etc/shadow
root:$6$2GhqJwYEx0wOctSN$cT/j76969v2DdUNJvPTKZoV.SDVomGcccB.cyn0KYt.YtBKET4fcSRNyQKozPUV.bfuEQhUC1IYD5nRn94DeO1:18302:0:99999:7:::
bin:*:18104:0:99999:7:::
daemon:*:18104:0:99999:7:::
adm:*:18104:0:99999:7:::
lp:*:18104:0:99999:7:::
sync:*:18104:0:99999:7:::
<snip>

You’ll get something like that so just use, in this case, $6$2GhqJwYEx0wOctSN$cT/j76969v2DdUNJvPTKZoV.SDVomGcccB.cyn0KYt.YtBKET4fcSRNyQKozPUV.bfuEQhUC1IYD5nRn94DeO1 as the passphrase to unlock the WalkThrough.

Windows

For Windows boxes, most of the time you’ll have some kind of remote shell that is able to dump user’s password hashes. In the case of the meterpreter shell, one just have to use the hashdump command:

meterpreter > hashdump
Administrator:500:aad3b435b51404aaaad3b435b514aaae:aab42ca009fed69695ee57c52cf5bccc:::

In this case, to unlock the WalkThrough just use aad3b435b51404aaaad3b435b514aaae:aab42ca009fed69695ee57c52cf5bccc.

You’ll get the same kind of output from other tools like Empire Project Invoke-PowerDump or impacket’s secretsdump.

Android

HTB first introduced an Android box on 2021-06-26, Explore, and since Android doesn’t have a root password hash, I decided to use something only root (or an app with the correct permissions) could read and that would be the ANDROID_ID constant. To read it as root, one only has to use the following command:

# settings get secure android_id
0123456789abcdef

In this case, to unlock a walkthrough, we would use 0123456789abcdef

Challenges

In the case of a Challenge WalkThrough, the flag itself is the password to unlock the it. So, if the flag is HTB{Y0u_c4n_r34d_this_walkthrough!}, this is what you’ll have to input to unlock it.

Retired machines

Whenever a box/challenge is retired, I’ll remove the protection code and everything will be public 😉.

Introduction#

Linux / *BSD#

Windows#

Android#

Challenges#

Retired machines#