Skip to main content
How to Play Challenges

Get briefed on how challenges work and how to play them!

Ryan Gordon avatar
Written by Ryan Gordon
Updated over a week ago

Challenges are bite-sized applications for different pentesting techniques. These come in three main difficulties, specifically Easy, Medium, and Hard, as per the coloring of their entries on the list. However, the actual difficulty is rated by the users that have completed the Challenge, and these range from Piece of cake to Brainfuck.

The purpose of Challenges is to introduce new users to different concepts such as reversing, OSINT, steganography, etc., but also challenge the more experienced ones with creative ways to resolve some of the more challenging entries on the sortie.

Following the release of the new design of the Hack The Box platform, we are putting out guides on how to navigate the new interface.

Whether you’re a new player or a veteran in Hack The Box, this guide will give you some useful tips and guidance on how to play Challenges in the new layout.

Challenge categories

We host a wealth of Challenge typologies, ranging from very hands-on to very ephemeral, conceptual ones. The categories hosted on the platform are as follows:


Revolving around the art of reverse-engineering, this category will have you using reversing tools to find out what a certain script or program does to find the flag.


Miscellaneous Challenges that don't strictly fit into any other given category. Variety is key here but also the source of all the fun solving them.


Revolving around the art of finding or embedding hidden messages in plain-looking objects, the Stego categories will have you use steganographic tools and your detective intuition to search for the hidden flag. Don't trust your eyes.


Revolving around cryptographic functions, this category will have you decrypting objects which were locked away from the prying eye with up-to-date cryptological processes.


Revolving around web-based applications, this category will require you to detect, exploit and search through different vulnerable web applications. The themes of these Challenges are very intriguing.


Revolving around data recovery and forensics, this category will require you to nitpick at small details in recovery data batches to try to get to the bottom of what happened. A keen eye and a lot of patience will help you go a long way as a forensic analyst. No CSI quotes included.


Revolving around publicly available data farming, this category will teach you how to laterally move between search engines' pesky algorithms to try to find the missing piece of the puzzle. Or maybe the missing person?


Revolving around binary exploitation and memory corruption, this category will have you creating exploits that'll make anyone lose their bits.


Revolving around multiple types of handheld devices, this category will have you scrolling on social media to like our posts and analyzing the intrinsics of different mobile applications to find the hidden embedded functionalities and flags.


Revolving around penetrating different hardware systems with your software, this category will have you analyzing different attack methodologies for objects we use every single day, even if we know it or not. Turning it off and on again will not solve this problem, sorry.

Navigating to the Challenges page

You’ll need to navigate to the left-hand side menu and click on Labs, then Challenges from your dashboard.

This will take you to the Challenges line-up page, where you can find all controls required for you to play them. This includes the file download button, flag submission controls, to-do list, and more.

Note that in contrast with the Machines page, the Challenges page doesn't have any VPN controls. This is because the Hack The Box Challenges can be solved without a VPN connection. You must, however, download some files or connect to a docker container, depending on the Challenge type.


On the Challenges page, you will see the highlighted ones at the top. These can be the staff pick and the newly released Challenges.


There are three menus that you can select from to filter through the lineup.

  • Active Challenges

  • Retired Challenges

  • Challenges To-Do List

Active Challenges

Most of the Challenges on our lineup are Active. This means that no walkthroughs are allowed for them as long as they stay in this state. This offer points to the user who completes them depending on their difficulty.

The difficulties and their respective point allowance are as follows:

Easy - 10 to 30 points

Medium - 40 to 50 points

Hard - 50 to 100 points

These values are not fixed, and you might spot some special occurrences.

Retired Challenges

These look and behave the same as the Active Challenges but do not offer you any points upon completion. However, they’re a good tool to learn what that category entails and what some of the ways of solving these are.

Challenges To-Do List

The Challenges To-Do List contains both Active and Retired ones that you’ve added to your own personal to-do list.

You can either add a Challenge to your to-do list by visiting its dedicated page, where you will find the option for the to-do list on the left-hand side menu.


You can filter each of the above lists according to your needs. The filter options are listed as drop-down menus above the Challenge entries in the respective list. These consist of the following:

  • Status (Complete, Incomplete, Both)

  • Sort By (Release Date, Name, Points, User Solves, Likes, Dislikes, User Difficulty)

  • Difficulty (Easy, Medium, Hard, Insane)

  • Category

The Category section offers users the possibility to select one of the Challenge categories: Reversing, Misc, Stego, Crypto, Web, Forensics, OSINT, Pwn, Mobile, Hardware.

Solving Challenges

Most of the Challenges require you to download a given archive that contains the starting materials for you to work on. Be they executables you need to reverse engineer, images for OSINT searches, images with hidden data inside them, they will all require you to download and extract the files. All of them come in password-protected form, with the password being hackthebox.

You can select a Challenge from one of the categories below the filter line. You should be able to see all of them if no filters are activated on the platform.

All the needed controls are on the Challenge's dedicated page.

Some Challenges come with their own Docker instances that you will need to boot up. Some come with archived files, as mentioned above. Some come with both! Take You know 0xDiablos, for example, this one has both options that you will need to explore and solve to finish the Challenge and find the flag.

To start an instance of the Docker associated with this Challenge, press the Start Instance button. To shut it down, press the Stop Instance button. The host address that you will be interacting with, consisting here of a Docker instance, will be seen below the Stop Instance button once the container is up and running.

From the same menu, you can also download the necessary files. All of them come in password-protected form, with the password being hackthebox.

You can also submit the flag, add the Challenge to your To-Do list or view the Forum Thread for that respective one you're tackling.

Once you finish the Challenge and input the flag, you will need to select a difficulty rating before submitting it. These will contribute to the overall difficulty graph above.

Note that the flags will always be in the format mentioned in the text box of the challenge. They will never deviate from that form: HTB{s0m3_t3xt} unless strictly specified in the Challenge description.

Did this answer your question?