HackTheBox, and many other cybersecurity training platforms, don’t allow for public writeups/walkthroughs of active challenges or boxes. If you ask me, it really takes the fun away of doing a box if you just casually find during your research a howto on how to solve it. You can always “not look”, but still 😉.

To avoid flags being out in the open internet and availble to anyone, HTB designed a system of flag rotation. Box flags rotate with every reset of the machine, so the flags I get on my run won’t be the same you get, and one can’t submit flags that once existed on that box.

That being the case, writers needed something to protect writeups/walkthroughs of boxes and challenges, so it was determined (on the same news post linked above) to use the root or Administrator password hashes of the boxes itself, since that doesn’t change between resets.

In my blog I do just that, so here are some examples:

Linux / *BSD

For Linux, once you get root, you just need to check the /etc/shadow file in case it’s a Linux box, or /etc/master.passwd in case of a *BSD, for the root password hash:

# cat /etc/shadow

You’ll get something like that so just use, in this case, $6$2GhqJwYEx0wOctSN$cT/j76969v2DdUNJvPTKZoV.SDVomGcccB.cyn0KYt.YtBKET4fcSRNyQKozPUV.bfuEQhUC1IYD5nRn94DeO1 as the passphrase to unlock the WalkThrough.


For Windows boxes, most of the time you’ll have some kind of remote shell that is able to dump user’s password hashes. In the case of the meterpreter shell, one just have to use the hashdump command:

meterpreter > hashdump

In this case, to unlock the WalkThrough just use aad3b435b51404aaaad3b435b514aaae:aab42ca009fed69695ee57c52cf5bccc.

You’ll get the same kind of output from other tools like Empire Project Invoke-PowerDump or impacket’s secretsdump.


In the case of a Challenge WalkThrough, the flag itself is the password to unlock the it. So, if the flag is HTB{Y0u_c4n_r34d_this_walkthrough!}, this is what you’ll have to input to unlock it.

Retired machines

Whenever a box/challenge is retired, I’ll remove the protection code and everything will be public 😉.