Machine Requirements

  • VMWare Workstation, VirtualBox, or ESXI formats. Please avoid Hyper-V if possible.

  • Less than 10 GB for Linux or less than 20 GB for Windows, or contact HTB staff to request an exception

  • Limit to 2GB ram and 2 CPU (contact HTB staff to request an exception)

  • CPU Limit set to 1500

  • Flags in the form of 32 hex characters

  • C:\users\[username\desktop\user.txt and C:\administrator\desktop\root.txt for Windows

  • /home/[user]/user.txt and /root/root.txt for Linux

  • Check permissions to ensure only the intended users can access the flags

  • Configure machine with a static IP.

  • Use only domains with the .htb top level domain.


Please include:

  • Full writeup showing the intended path to own the machine. A template is provided here. Please include an editable format of the writeup (markdown, word).

  • Credentials for all users (or at least root and user with user.txt), to include passwords and keys (like SSH keys).

  • Description of important processes running on the machine (ie, HTTP server using Flask, which is started by the service named flask.service).

  • Description of all automation, including copies of any scripts running on the machine (crons, schedtasks, etc)

  • Details of any firewall rules

  • If using Docker, please include Dockerfiles and other configuration files for containers.

  • Source code for any custom binaries.

  • Any details about how future patches might impact the exploit path (ie, don’t update sudo, as the exploit path requires this version’s vulnerability).

Best Practices


  • Try to keep the Machines realistic where possible.

    • Try to have the exploited code exist for some legit reason.

    • Don’t include things like todo.txt on a webserver.

  • Don’t include rabbitholes without a good reason.

  • Make sure hashes crack quickly with hashcat and rockyou.txt if they are intended to be cracked. If they are intended to be cracked with some other method (not straight rockyou), include hints to indicate the method.

  • When picking passwords that are not intended to be cracked, please pick a strong passphrase (something solid but also not that hard to type).

  • Make sure web directories are easily found with dirbuster/gobuster/etc and common wordlists like directory-list-2.3-medium.txt (or better small) or raft-small-words.txt

  • Nothing inappropriate, trolly, offensive, political, or insulting.

  • Don’t require bruteforcing other than above without talking to HTB staff.

  • Make history immutable (redirect to /dev/null if this does not affect the path of the box)

  • Run linuxprivchecker, linenum, LinPEAS or equivalent to confirm that there isn’t any unintentional vulnerability/exploit.

  • Don’t make use of commercial software (including trials).

  • In Linux, don’t use ufw.

  • Do not use an evaluation copy of Windows. Do not worry about activating Windows, as HTB will take care of that.

  • Don’t use potential unstable elements that may degrade user experience in a shared environment (i.e. a web app where a key page can be removed, a service exploit that will crash the web server, RDP access, a volatile exploit, etc.)


Select a difficulty based on the following criteria:


  • Typically 2-3 steps

  • CVE with script or Metasploit without modification

  • Path clear from context / hints, no rabbit holes

  • No binary exploitation / RE

  • Only the most basic scripting require


  • Typically around 3 steps

  • Custom exploitation, but straight forward

  • Path clear from context / hints, no rabbit holes

  • Generating simple scripts


  • Typically 3-5 steps, but can be more

  • Custom exploitation, chaining together different vulnerabilities, complex concepts.

  • More enumeration is allowed, though don’t include pointless rabbitholes.


  • Typically many steps (5+), but can be as short as 3 really hard steps.

  • Anything goes as far as exploitation.

  • Rabbitholes allowed, but hopefully for a purpose. Don’t just make things hard for the sake of being hard.

Examples of a step:

  • Gain access to login-protected site

  • Gain access to SMB / FTP / etc

  • Get shell on box

  • Pivot from one user to another

Did this answer your question?