Please tell me that I am not the only one...

…who thinks that HTB boxes are REALLY hard. I’ve just joined and signed up for VIP, and I’ll say without hesitation, this site ROCKS. It’s a lot of fun and I’ve learned a lot.

I’ve got a masters degree with a specialization information security and even some doctoral credits in IT. I still get stuck for hours on end on these boxes, even the easy ones.

I feel extraordinarily stupid when 20 people in the forums post,


Uh… so0o0o0o0 it’s just me losing my mind on these things then?

I CRUSHED my grad courses but they don’t have anything on the actual “real world” experience here. VERY little hands on experience is offered in grad school. There are entrance vectors and attacks that I’ve never even heard of in grad school that are in full effect here. (What the *#@$ is Cross Site Tracing???.. not discussed in any of my courses EVER.)

It’s like every day I am on this site I hear about a new technique that I’ve fully never heard of, and I’ve spent thousands upon thousands of dollars in grad school. I will gladly pay $13 USD a month for VIP.

So, sanity check… is it this hard for everyone when they start? I said I’d just play with a box for like 20 minutes and it’s already many hours later and I now have a headache because I didn’t eat anything.

So, I appreciate your input…

…and I am going to go get a hamburger.


I has been / is :wink: the same for me!

I have many years of experience in IT security, but not in an offensive role, and with every box I am learning about new concepts and technologies!

And when there is some service or app on a box that I really know something about, then I get side-tracked and fall into rabbit holes. :slight_smile:

But on the other hand, these two things are why I like hackthebox so much!

That makes me feel better!

It really kills me when I see an uncommon port open. I have an “AHA!!!” moment where I am SURE that’s how I am getting in. I’ll just look up some common exploits for this service while OpenVAS or Nessus is running. Well… shoot… I’ll just run all of them…

…and then my console window looks like this:

root@kali: msfconsole

#Exploit succeeded, no session created.
#STOP TRYING… that ain’t it.

and sometimes, just to mess with my life… I GET THE PASSWORD. …

…and it’s a trolling password and doesn’t work ANYWHERE.

I find a lot of the concepts needed on here are really tough until you’ve come across them at least once.

Never enumerated a web-server for dirs before? You might not even know it’s possible. Never checked for file extensions in those dirs? Again, as others blow through and declare it easy BAU, you’re still scratching your head.

Same goes for the first time you have to enumerate DNS in anger, interact with SAMBA shares, or muck about with file upload bypasses.

Until you’ve done it once, you maybe wouldn’t even know to try it, let alone how to do it well! Once you’ve done most things a few times, you can look at a box and go “ah yeah okay, I reckon this is gonna need this tool from my mental toolbox”, and get moving a lot quicker.

I’ve learnt so much since I first started on here, but I still find each new box a struggle as there’s always some new trick to learn! :slight_smile:

It becomes an “easy” machine once you root it. Easy boxes can become hard as well, if you’re unfamiliarwith the services that are running but after all, that depends on you and on your research skills