Last updated
Last updated
Hack The Box (HTB) is a popular platform for cybersecurity enthusiasts to sharpen their skills through hands-on challenges. This guide will walk you through creating an account, exploring key features, and getting the most out of your HTB experience.
To Create an account on the HTB platform, go to this page and follow the steps I will show you
Sign up on this page with your email (Google, Outlook, LinkedIn, or any other provider).
If you have an academic account, I highly recommend using it to sign up for the student subscription and unlock its benefits.
Fill in the required field as follows
If you see this page, you created the account successfully and the site only asks you a few questions.
After answering them, you will get to your account's main page.
Congratulations, your account has been created successfully :)
Starting Point machines are designed to teach students the fundamental tools and commands they’ll need in their cybersecurity careers.
There are three tiers of machines: Tier 0, Tier I, and Tier II. Each tier offers both free and paid machines. For example, Tier 0 includes four free and four VIP machines.
Each Tier aims to teach you different things:
Tier 0:
Learn how to connect FTP, SMB, Telnet, Rsync, and RDP anonymously.
Learn how to use Nmap to identify open ports.
Learn how to connect to a MongoDB server.
Tier I
Learn basic web exploitation techniques such as SQL injection, Server Side Template Injection, Remote File Inclusion, and how to use Web/Reverse Shells.
Use the services showcased in the previous tier for exploitation.
Learn how to log in to Jenkins and upload a Groovy Shell Script.
Learn how to upload files to an S3 Bucket.
Tier II
Learn how to exploit XXE, IDOR, and Log4j and perform cookie manipulation.
Learn how to exploit binary path hijacking and sudo permissions for privilege escalation.
Learn the basics of Brute Forcing.
Learn how to exploit LXD for privileged filesystem access.
Learn how to exploit insecure functions like "stcmp()" in PHP.
If you're complete beginner, start with these starting point machines and complete free ones and VIP ones if you can then move to machines and challeneges.
HTB loves to make things gamified, So they make seasons. Each season lasts for 13 weeks with a new machine released every week.
The player has a week to hack the machine and get the user flag and root flag in Linux systems or the administrator flag in Windows systems to collect seasonal points.
Seasonal points are granted rewards from HTB after the season ends.
As of this writing, Hack The Box features 407 machines. These machines are categorized into active and retired, which I’ll explain below.
The machines are categorized by difficulty (Easy, Medium, Hard, and Insane) and operating system (Linux, Windows, FreeBSD, and others).
Active machines are free ones that everybody can play at any time. Also, they give you points which will increase your rank on the platform.
After the machine retires, It continues to be free for a week and then becomes paid.
Click on any machine to access its details page.
Then, click Join Machine to start it and get the IP address.
To connect to the VPN, follow the steps:
Click on Connect to HTB and then Machines
Choose the OpenVPN option:
Pwnbox is a virtual machine provided by HTB that allows direct access to any lab. VIP+ members enjoy unlimited usage. While not essential, Pwnbox is recommended for those who want a streamlined experience.
Choose any server and specify 443 port number, then Click Download VPN
If you have an issue with downloading .opvn file, Just change the VPN Server
In your Kali VM, put the .opvn file in Desktop, and on the terminal type:
If everything goes correctly, you will get an IP and view it using this command:
Now, you can ping the machine and start hacking :)
Retired machines require a VIP or VIP+ subscription to access. All of them have official writeups and video walkthroughs you can access them at any time.
Each HTB easy or medium machine has 2 modes:
adventure mode: submit user flag and root flag
guidance mode: Players will be guided through a series of questions designed to help them pwn the machine.
If you like playing CTFs, HTB challenges are the best :)
There are several categories of challenges there:
AL - ML
BlockChain
Forensics
GamePwn
Hardware
Misc
Mobile
OSINT
pwn
Web
Reversing
The active challenges are free and retired ones are paid
To play any challenge you want, just click on its name and there are three important buttons here:
Start Instance: To start the challenge app
Download Files: The necessary files for the challenge
Submit Flag: Submit the flag when you get it
There are several ranks in the platform:
Noob
Script Kiddies
Hacker
Pro Hacker
Elite Hacker
Guru
Omniscient
Solving active machines, challenges, endgames, and fortresses earns you points to increase your rank.
To get hacker rank you should complete 20% of active labs, 45% for Pro Hacker, 75% for Elite Hacker, 90% for Guru and 100% for Omniscient.
Reaching
Hackerrank unlock fortresses for you to play, ReachingGururank on the other hand, unlock End-games.
you can view your rank on your profile page:
Although HTB focuses more on Red team labs, They created Sherlock for Blue teams. There are categories such as DFIR, SOC, Malmare analysis, and others.
The active and retired sherlocks are all free :)
Click of any challenge you want, and download the files of it, Then you need to answer the questions they put for this challenge to complete it.
A Track is a selection of machines and challenges tied together for users to progress through, mastering a particular subject.
You can enroll in a specific track to learn a particular subject such as OWASP TOP 10 or Active Directory pen-testing and others.
Pro Labs are red team labs and Interactive hacking training in realistic corporate environments containing the following:
Multiple Machines
Realistic Scenarios
Simulated Users
Advanced Infrastructure
At the moment of writing the post, There are 7 Pro Labs and 4 mini-pro labs
Pro Labs: Dante, Zeyphr, Offshore, RastaLabs, Cybernetics and APTLab
Mini Pro-Labs: Full House, Xen, P.O.O and Hades
Each Pro Lab varies in difficulty. Dante is designed for beginners, while Zephyr, Offshore, and Rastalabs for intermediate pen testers. Cybernetics and APTLab are best suited for advanced users and experts.
Every Prolab has a certificate and you can get it from your profile page when you complete any of them.
The end-game labs are Advanced labs simulating real-world infrastructure and exploit scenarios, with multiple hosts and various attack paths.
There are four end-game labs (2 Free and 2 paid).
Free: Solar and Odyssey
Paid: Ascension and RPG
The player needs to have Guru rank to play the free end game.
Fortresses are Fully customizable vulnerable labs that any company can host in Hack The Box. These labs are free and don't require a subscription to unlock them.
The player needs at least Hacker rank to unlock these labs.
There are 6 fortress labs:
Jet
AKERVA
Context
SYNACKTIV
Faraday
AWS
There are three subscription plans available:
VIP costs 14$ - Unlock retired machines and Challenges.
VIP+ costs 20$ - Same as VIP but with unlimited Pwnbox (Parrot VM) usage and private instances.
Pro Labs Bundle costs 49$ - Unlock all the Pro Labs and mini ones.
Click Purchase and choose the plan you want, then you will get to the billing page to fill in your card info.
Fill in your card info, provide any coupon code you have, Click Subscribe, and then Enjoy hacking :)
The monthly subscription is automatically renewed, but you cancel it at any time and you will not lose your current monthly sub.
Whether you're a beginner or an expert, Hack The Box offers something for everyone. Start your journey today, and feel free to reach out if you need any help along the way.
I hope you get most benefits from this post and contact me at any time if you need help.
After you sign up using your email, you will be redirected to your account page. Now, Click on the third button.
