Modules & Paths are the heart and soul of HTB Academy. They are the two primary categories of learning content on the platform.
Modules are like courses; they contain content confined to a specific subject, such as Linux Privilege Escalation or Windows Fundamentals. Each of these is its own discrete unit and has a certain cost of Cubes associated with it.
Each Module contains Sections. These are akin to chapters or individual lessons. They each cover a discrete part of the Module's subject matter. For example, Linux Fundamentals has Sections for User Management, Package Management, Navigation, and many more. In addition, some Sections are interactive and may contain assessment questions or a target system for you to test out what you've learned.
Paths are groupings of Modules that are all related to each other. The goal of a Path is to guide you through a specific set of Modules to master some particular subject. For example, the path Active Directory Enumeration contains Modules that cover various topics related to Active Directory.
Enrolling in Paths and Modules
The first step in your educational journey with Academy is to enroll in a Path or start working on Modules directly. There are scores of Modules to choose from, so take a look around and see what interests you!
To learn more about navigating Academy, filtering Modules, and how the Cube System works, check our article introducing the Academy platform.
Click the button below to learn how to filter Modules:
If you aren't sure what Module to start with, the Introduction to Academy and Learning Process Module's are a great place to start.
Unlocking a Module
Once you've picked a Module, you'll need to unlock it to begin working. Unlocking a Module will cost some amount of Cubes. The amount of Cubes required to unlock a module is shown at the bottom of the Module preview tile.
The amount needed will also be displayed when you attempt to unlock the module.
Completing a Module also awards some Cubes back to you. For the Tier 0 Modules, the amount awarded back to you for completing the module is the same as the cost, making these completely free.
You can also see the number of Cubes you receive for completing a Module in the preview tile.
If you are unfamiliar with the Cube System, please see the Introduction to Academy article linked in the previous section of this article.
Once the Module is unlocked, you'll be able to begin working on it.
Enrolling in a Path
Unsure of what module to start with? That's okay! Instead, you could enroll in a Path for a guided experience. Enrolling in a Path is just as simple as unlocking a Module.
Navigate to the Paths page, and select the Path you are interested in. Once you've located it, click the Enroll button.
Once you've enrolled, your chosen path will be displayed on your dashboard under the Currently Enrolled Path section. From here, you will be able to see the individual Modules that make up the Path and start or continue working on it.
To continue your progress on your Path, press the Continue button on your dashboard.
If for some reason, you decide you are no longer interested in working on the Path you've selected, you can enroll in a different Path. You will be automatically unenrolled from your current Path.
It's important to understand how the Modules on HTB Academy are structured. Each Module is broken up into Sections. These Sections are equivalent to one lesson in the topic covered by the Module.
You can view all of the Sections in a Module in the Table of Contents on the right side of the Module's content.
Some Sections have a Cube before their name. This signifies that the Section is Interactive.
An interactive Section may have a practical component, where you interact with a target system or Pwnbox instance. It may also have assessment questions for you to answer. We will talk a bit more about this Interactive Sections portion of this article.
The Cheat Sheet
Above the Table of Contents, you'll find a button called Cheat Sheet. This Cheat Sheet serves as a reference for commands related to the subject matter. This may contain both commands actually used in the Module, as well as related commands you may simply find useful.
The Cheat Sheet can also be accessed from a second button in the Questions portion of Interactive Sections.
Progressing through a Module
Each Section of a Module contains reading material that serves as a lesson on the given topic. You'll want to be sure to read this material carefully, taking the time to make sure you understand it, and doing your own research when necessary.
Once you've completed all the content a Section has to offer, you can mark it as complete and move to the next one by pressing the Mark Complete & Next button at the bottom of the page.
After marking a Section as complete, a green checkmark will appear next to it in the Table of Contents. This makes it easy to keep track of what content you've already finished.
Interactive Sections and Target Systems
Interactive Sections are the practical portion of Academy Modules. This is where you take the knowledge you've gathered from the reading material and actually apply it.
Sometimes this means you answer an assessment question on the material you've just read. Other times it means you use the Pwnbox instance provided to you under My Workstation to run some commands. Most times, it means you are given the IP address of a target, which you'll then either connect to or attack.
Many Interactive Sections will require you to spawn a Target System. These are systems that have been configured to be enumerated or attacked as part of a lesson. They come in two flavors: Docker Targets and VM Targets.
As the name would suggest, Docker Targets are target systems that make use of Docker. Once spawned, they will take the form of
IP:PORT, such as
:30655. The scope of Docker Targets is limited to the specified port, so there is no reason to perform any enumeration beyond that port. They are also accessible over the internet, meaning a VPN connection is not required.
For cases where a Docker image can't be used, such as Modules that use a Windows target or an Active Directory environment, a VM Target will be spawned. These target systems will provide an IP address, such as
10.129.89.137. You will often be provided with a set of credentials and a method of connecting to the target, such as
SSH to 10.129.89.137 with user "htb-student" and password "[email protected]_stdnt!".
If you aren't provided with credentials and a login method such as SSH, RDP, or WinRM, it's safe to assume you are meant to attack the target unauthenticated.
Spawning Target Systems
In order to spawn a target system, scroll down to the bottom of the page to the Questions section and click on the link that says
Click here to spawn the target system!
If for some reason, you believe there is an issue with your target system, you can always reset it by clicking on the reset icon next to the IP address.
Most Interactive Sections will have some assessment questions for you to answer. Once you believe you know the correct answer, type it into the textbox and press the Submit button.
If you are having trouble figuring out the right answer, some assessment questions have a Hint button you press for a nudge in the right direction. This is located immediately to the right of the Submit button.
Attacking Target Systems
My Workstation / Pwnbox
In order to attack a target system, you'll need a workstation that has the proper tools and configuration to complete the required tasks. You can opt to set up your own virtual machine, or you can use Pwnbox, our browser-based Parrot Security VM.
We have a full article discussing Pwnbox in the context of the Main Platform that you can read for more information on Pwnbox in general.
Click the button below to read about Pwnbox:
Pwnbox is fully equipped with the tools-of-the-trade and can be used to attack target systems or just to practice with Linux! It's automatically connected to our network, so there's no need to worry about connecting to a VPN when using it.
Please note, free users are only able to spawn one Pwnbox instance per day. The Pwnbox instance has a lifetime of 120 minutes. This limit can be lifted by making a purchase on Academy.
To start your Pwnbox Workstation, scroll down to My Workstation underneath the Table of Contents and press Start Instance.
Alternatively, you can access Pwnbox directly within the Section content itself. Scrolling down, you will notice a large box with a button that says Start Instance. Pressing that will spawn a Pwnbox accessible from within the Section.
Once your Pwnbox Workstation has been spawned, you can interact with it normally. You can start up the web browser, open up the terminal, write some code, or anything else you'd expect of a full-fledged virtual machine.
The default in-section Pwnbox window may be a bit cramped, but don't worry, you can fullscreen it easily by pressing the Full Screen button. A new tab will open with the Pwnbox Workstation in fullscreen mode.
You'll also find the buttons Terminate and Reset. Terminating your instance will shut it down completely. Resetting will give you a fresh copy of Pwnbox, so it's useful as a troubleshooting step.
If you are a free user who has never made a purchase on Academy, you cannot spawn Pwnbox again once you've terminated it until the next day. If you are having trouble with your instance, reset it instead.
Next to these buttons, you'll also be able to view see how long your Pwnbox Workstation has until it expires.
If you don't have a Pwnbox limit on your account, you can press the green + to extend the life of your instance.
Using a VPN
In some cases, it is not necessary to use a VPN to access a target system. Most Docker Targets can be accessed without a VPN connection. You only need a VPN to access a target if the IP address is in a private range. The following are private IP address ranges:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
VM Targets will almost always require you to establish a VPN connection. If a VPN is required, there will be a Get VPN Key button on the right side of the Questions portion of the page.
If this button is missing, it means a VPN is not needed for this target. Clicking on the button will initiate a download for an OVPN file, which can be connected to by using OpenVPN. The steps for connecting are the same as for the Main Platform.
For more information on Lab Access, you can read our dedicated article.
Click the button below to learn more about accessing our Labs: