Dedicated Labs are a safe environment for you to experience curated and unique hacking content that is created by security professionals for security professionals.
Our cybersecurity content features mechanics and techniques inspired by gaming that make the entire user experience fun and captivating, resulting in increased team engagement.
The two forms of content you'll find in Dedicated Lab are Boxes and Challenges.
Boxes vs Challenges
Boxes are instances of vulnerable virtual machines. These are virtualized services, virtualized operating systems, and virtualized hardware that all run on our servers. Boxes tend to have multi-step exploit paths and can host different Operating Systems; Linux, Windows, FreeBSD, and more.
Challenges are bite-sized applications for different pentesting techniques. While they may feature chained exploits, they generally are meant to showcase one concept and are comprised of a single application.
Each Box has a difficulty level that signifies the complexity and amount of steps in the exploit path. The five different difficulty levels are as follows:
These are simple Boxes, with typically only a single main exploit step. They are meant as an introduction to those who are just getting started with pentesting, or are looking to get acquainted with Hack The Box content.
These Boxes are still simple but offer a bit more of a challenge compared to the previous level. They generally are comprised of 2-3 steps, and have a relatively clear exploit path, with only the most basic scripting required.
Medium Boxes are where things can start getting complex. They usually have around 3 steps and may require some custom exploitation. The path is generally clear and free of rabbit-holes. Some scripting or programming knowledge may be required.
These are complex Boxes with 3-5 steps that involve custom exploitation and chaining together different vulnerabilities. Heavy enumeration may be required, and the path may not always be obvious.
These are the most difficult Boxes we have to offer. They are targeted towards highly experienced pentesters who are looking to push themselves to the limit. They typically involve more than 5 steps and can have extremely complex exploit chains. They may include rabbit-holes and deadends.
Unlike Boxes, Challenges have three main categories of difficulty: Easy, Medium, and Hard. These roughly map to the same level of difficulty as Boxes of the same level, with the exception that Challenges are focused typically on a single exploit type. Additionally, there is no upper limit on how difficult a Hard challenge can get.
The more difficult a Challenge is, the more Points it's worth.
You can begin working on Boxes by opening up your Dedicated Lab on the Enterprise Platform. Once you've located a Box, click on it to be taken to its page. From here, you'll be able to spawn the Box, access its writeup (if made available by your Admin), and submit flags.
You can also view the Boxes activity on this page, to keep track of who has solved it and when.
Once you Spawn the Box, you'll be given an IP address. From here, you can begin enumerating the Box for services and vulnerabities, and begin hacking your way in!
You'll want to make sure you have connected to the lab's VPN server or have a Pwnbox instance ready if you want to be able to access the Box's IP address. You can read more about Lab Access here:
Click the button below to learn how to connect to your Dedicated Lab:
On each Box, you'll typically be able to find two flags, user and root. Generally speaking, this can be found in /home/<username>/user.txt and /root/root.txt respectively. Once you get a flag, be sure to submit it on the Box's page!
Working on Challenges is very similar to working on Boxes, with a few key differences.
Challenges are spawned on Docker Instances and are accessible only on the specified port.
The IP addresses of these Docker Instances are routable via the internet, which means no VPN is required.
Challenges can sometimes have downloadable content. This could be the source code of the application running on the server, or it could be the challenge itself. The downloadable files are zipped, and the password is always