Starting on Hack The Box can be a bit daunting. There's a lot to learn, and it can be overwhelming for someone who is new to our platform. Figuring out how to connect to the VPN, spawn a Box, enumerate it, and then actually hack it? It's a lot. That's why we've introduced our revamped Starting Point.
Starting Point is Hack The Box on rails. It's a linear series of Boxes tailored to absolute beginners and features very easy exploit paths to not only introduce you to our platform but also break the ice into the realm of penetration testing. Using the Starting Point, you can get a feel for how Hack The Box works, how to connect and interact with Boxes, and pave a basic foundation for your hacking skills to build off of.
Each Starting Point Box comes with a comprehensive writeup that explains not only how to solve the Box, but each of the concepts involved at every step.
We highly recommend you supplement Starting Point with HTB Academy. Whereas Starting Point serves as a guided introduction to the Hack The Box Main Platform, HTB Academy is a learning platform that guides you through developing the pentesting skills you'll need to succeed not only on Hack The Box, but in the field of ethical hacking as a whole.
Learn more about HTB Academy by clicking the button below:
Each Tier of Starting Point has some recommended HTB Academy Modules to go along with it. You can start with these, or focus on whatever Module catches your interest.
Starting Point Tiers
Starting Point is separated into three Tiers, which represent an incremental increase in complexity and challenge. They are linear, each building off the one that came before. In order to progress to the next Tier, you must first complete all the free content within the current Tier.
In this Tier, you'll cover the absolute fundamentals of attacking a Box. You'll learn how to connect to the VPN, perform basic enumeration of ports and services, and interact with the services you find. Each Box in this Tier is focused on a particular tool or service and contains only a single primary step.
These are the Tier 0 Boxes currently available:
The last two, Explosion and Preignition are VIP Boxes, meaning they are only available to those with a VIP/VIP+ subscription, but don't worry- they won't block your progress to the next Tier even if you are a free customer.
Moving to the next Tier, things are kicked up a notch and a bit more complexity is introduced. Whereas Tier 0's primary focus is demonstrating how to connect to various services, Tier 1 focuses on fundamental exploitation techniques. While the depth of the material in this Tier is increased over the previous, these Boxes still feature a single primary exploitation step.
These are the Tier 1 Boxes currently available:
This is the final Tier, and the most complex. The Boxes in Tier 2 are full-fledged, and chain multiple steps together. You'll need to enumerate, gain an initial foothold, and escalate your privileges to reach root/system. Unlike in the previous Tiers, these Boxes have two flags,
These are the Tier 2 Boxes currently available:
Connecting to Starting Point
The very first step to starting on Starting Point is to get connected to the VPN. There are two ways to go about this, OpenVPN and Pwnbox.
Connecting via OpenVPN is the traditional way of accessing the labs on Hack The Box. While this is possible to do from a Windows or Mac machine, you'll ideally want to do this from a virtual machine running a Linux distribution, such as Parrot Security. Most Linux distributions (including Parrot) come with OpenVPN preinstalled, so you don't have to worry about installing it.
First, navigate to the Starting Point Box you want to play, and press the Connect to HTB button. This will bring up the VPN Selection Menu. Select OpenVPN, and press the Download VPN button.
Once you have the VPN file downloaded, open up your terminal and run the following:
sudo openvpn /path/to/vpn/file.ovpn
If your connection is successful, the terminal window will show
Initialization Sequence Completed -- note that you'll need to keep this terminal window running, or the VPN will disconnect.
For more information about connecting to our labs, please see our dedicated article.
Press the button below to learn more about connecting to HTB:
The second way to connect to Hack The Box is by using our browser-based virtual machine, which features a customized version of Parrot Security. With Pwnbox, you'll have full access to a workstation that you can use to attack Boxes. It's automatically connected to the VPN, so there is no need to worry about downloading the VPN file if you go this route.
NOTE: Free users are limited to a one-time use of Pwnbox that lasts 120 minutes.
To spawn a Pwnbox instance, press the Connect to HTB button next to the Starting Point Box you are interested in playing, and select the Pwnbox option from the VPN Selection Menu.
Once Pwnbox is spawned, you can view it by pressing the Open Desktop button.
This will pull up the Pwnbox instance in a new tab in your browser. From here, you can use it like any other virtual machine! For more information about Pwnbox, please see our dedicated article.
Click the button below to learn more about Pwnbox:
Spawning a Box
Once you've been connected to the VPN, the button to Spawn Machine will become available. You may need to refresh the page if it's been more than a few minutes and you don't see your connection as active in the VPN Selection Menu.
Once the machine is spawned, you'll be given an IP address. This is the IP address that you'll use to access the Box.
If you need to reset the Box, you can do so by pressing the Reset Button next to the IP address. You can also terminate the Box the same way by pressing the Stop button once you are finished with it.
Playing a Starting Point Box
Now that you've gotten connected and have a Box spawned, you can move on to the fun part- actually playing the Box!
Every Starting Point Box has a detailed writeup that walks you through each step of the exploit process and explains the concepts and technologies involved.
You are certainly welcome to work on Starting Point without making use of this, we highly encourage you to read through it carefully and absorb what you've learned, following along at each step. Writeups are an invaluable resource, and there's nothing wrong with using them to learn!
You can download the writeup by pressing Download Walkthrough in the upper right corner of the Box's section.
Underneath the IP address of the Box, you'll notice a series of tasks for you to complete. These tasks will ask you questions about the Box, and test what you've learned from exploiting it.
In the answer box for each task, you'll notice that you can see what format the answer will come in. For example, if the answer to a question was
ryanisgreat, the answer box might show you the following:
All the information needed to answer the questions can be found in the writeup, if you get stuck. Additionally, most tasks have hints you can reveal to help you find the answer.
The very last task(s) will be to submit the flag(s) from the Box, which you can retrieve by successfully completing the full exploit process.
You also have the option to soft reset your progress. Keep in mind this will wipe all progress you've made on that box, including any flag submissions or answers you've submitted.
Only use this if you are certain you'd like to start fresh.