How to Play Pro Labs

Taking on a Pro Lab? Prepare to pivot through the network by reading this article.

Ryan Gordon avatar
Written by Ryan Gordon
Updated over a week ago

Hack The Box offers members that have gained enough experience in the penetration testing field several life-like scenarios called Pro Labs.

These consist of enclosed corporate networks of Machines using different operating systems, different security configurations, different vulnerabilities, and exploitation paths while simulating a real corporate environment. Users looking into leveling up their security assessment skills should look no further.

Currently, our line-up stands as follows:

  • Dante is a modern yet beginner-friendly Pro Lab that provides the opportunity to learn common penetration testing methodologies and gain familiarity with tools included in the Parrot OS Linux distribution. You will level up your skills in information gathering and situational awareness, be able to exploit Windows and Linux buffer overflows, gain familiarity with the Metasploit Framework, and much else!

  • Offshore is an Active Directory lab that simulates the look and feel of a real-world corporate network. It was designed to appeal to a wide variety of users, everyone from junior-level penetration testers to seasoned testers and infosec hobbyists.

  • RastaLabs is a virtual Red Team simulation environment designed to be attacked as a means of learning and honing your engagement skills. The lab features a combination of attacking misconfigurations and simulated users.

  • Cybernetics is a Windows Active Directory lab environment fully upgraded and greatly hardened against attacks. For experienced penetration testers and Red Teamers, this lab will offer an amazing challenge to reach Domain Admin.

  • Zephyr is an intermediate-level red team simulation environment designed to be attacked to learn and hone your engagement skills and improve your Active Directory enumeration and exploitation skills. Zephyr includes a wide range of essential Active Directory flaws and misconfigurations to allow players to get a foothold in corporate environments.

  • APTLabs simulates a targeted attack by an external threat agent against an MSP (Managed Service Provider). The lab requires prerequisite knowledge of attacking Active Directory networks. APTLabs consists of fully patched servers, prevalent enterprise technologies, a simulated WAN network, and much more!

Subscribing to Pro Labs

Using the Pro Labs Bundle you can access all the Pro Labs with a monthly or yearly subscription, more information on that is in this article.

To subscribe use any of the Pro Labs pages and scroll all the way to the bottom or use the Billing & Plans page.

Connecting to the Pro Lab

You can connect to the VPN by either clicking on the Connect To HackTheBox button in the top-right corner of the website or by navigating back to your selected Pro Lab page. You will find a Connect To Pro Lab button in the upper right of the Pro Lab page. From there, you will be able to select either OpenVPN or Pwnbox, the VPN server, and download the OpenVPN .pack file.

Once downloaded, you can connect to the lab the same way you'd connect to the main Machines lab.

Entry Point

Some Pro Labs mention the entry point you'll need to attack to gain the initial foothold into the system; some don't. You'll need to check this information on the Pro Lab's dedicated page.

You can see the entry point on the upper left of the Pro Labs page or in the Introduction section in the Flag List.

Your best bet, in any given case, is to scan the network. If you're unsure of the subnet that requires scanning, type in the route command after you've deployed your OpenVPN connection, and it should contain the subnet given for the tunnel interface.

Pro Lab Introductions

Each Pro Lab has an Introduction that is placed at the top of the Flag List. Clicking on the Introduction will give you a brief description of the Pro Lab's concept, as well as the Entry Point.


The Progress list will show you the available flags in nicknamed fashion. Each flag's nickname will provide you with a small hint about that specific flag. Don't look too deep into the meaning of it until you get there, or you risk getting lost in semantics.


The Machines list displays the available hosts in the lab's network. You will be able to reach out to and attack each one of these Machines. During the vulnerability assessment, each one can be identified by its hostname mentioned on this list, therefore allowing you to tick them off upon completion on each of the OSs mentioned here along with their hosts.

Redeployment / Resetting the Lab

Something is bound to crash at some point. Don't worry about it! You can issue a Lab Redeployment request through the same page. Make sure to fill in the text box provided with a good explanation of what is going wrong.

We'd rather not redeploy upon requests like these:

But we will definitely redeploy upon requests like these:

Flag Submission

When you find a Flag, you can submit it directly on the same page. The Flag Submission is in the upper right of the Pro Lab page.

Canceling the Pro Lab subscription

To cancel your recurring Pro Lab subscription, click on your profile picture and/or account name in the top right of the website and select Subscriptions from the drop-down menu.

Once there, you can scroll down on the page until you find the Subscription for the relevant Pro Lab. There will be a Cancel button on the right.

Note that the remaining time on your current subscription will continue to be valid for you to use. It's only after this time has expired (either at the end of the month or at the end of the year, depending on which recurring subscription type you have) that the recurring payment will stop. You will need to manually resubscribe at a later time if you'd like to use the lab again.

Did this answer your question?