security talk & philosophizing

FF E4

Hack The Box [HTB] Review

At the time of this writing, I’m a bit on the fence with HackTheBox.com. On one hand they offer VM’s, training and certifications for a very decent price. On the other hand, I found the support to be lacking, the lessons to be wrong in various instructions and it left me frustrated at times.

Pricing

Over on the Academy section of their services, they sell content based on “cubes.” Cubes is like their currency. If you spend $38/month (Gold plan), you unlock 500 cubes a month. You can use these for specific lessons, or to complete an entire “path” (organized lessons with a focused goal). Paths available are: Bug Bounty Hunter, SOC Analyst, Pentester, and Sr. Web Penetration Tester.

How much does 500 cubes get you? A few cost breakdowns are below:

  • Bug Bounty Hunter: 20 modules that unlock for a projected cost of 1410 Cubes
  • Penetration Tester: 28 Modules that unlock for a projected cost of 1970 Cubes
  • SOC Analyst: 15 modules that unlock for a projected cost of 1170 Cubes
  • Sr. Web Penetration Tester: 15 modules that unlock for a projected cost of 7000 Cubes!

What’s Awesome

The integration with ParrotOS is fantastic. You can spin up a VM of ParrotOS (they call it a “Pwnbox”) in seconds. Once it’s up, they allow a web view into the OS and it’s really very snappy.

Typical training is taught in the cheaper paths, but the expensive Sr. Web Penetration Tester has attack vectors I haven’t seen anywhere else (including Offensive Security, and the odd variety of security courses online). The OAuth attacking course is pretty amazing and includes attack vectors on JWT cracking and much more.

What Sucks

I dropped $38 for 1 month of subscription. I got my 500 cubes and bought a single course on the Sr. Web Penetration Tester path. The course was on OAuth vulnerabilities. The content started off amazing, but once it got to setting up a NetCat listener, everything started to fail. This path is very complex. The issues take considerable time to setup. When things fail deep into a lesson, the first thought I had was “I did something wrong.” I kept rechecking my work and rechecking it again.

Buggy Lessons

I put it aside for a week and returned… same issue. I moved on. Had another lesson on setting up a NetCat listener and again more problems. I tried doing the work on the VM, instead of my local, no change.

After a week or so with fighting this, I raised a support ticket. This amounted to, “what’s the problem?” and I give mountains of details and steps to reproduce. 4 days later I get a response, “are you still having this issue?” from a different customer service rep. That sucks. It feels like this won’t get resolved from their team.

Taking the time to dig further I noted that the bind of the IP was to 0.0.0.0 and figured that was the likely issue. The course content had screenshots of someone doing this action, but their version of NetCat didn’t bind to 0.0.0.0 but to their local IP (which is expected). A bit more digging I got the right flags to use and resolved the issue on my own.

To sum it up:

  • The Course Material can’t be trusted. It’s sometimes wrong
  • The support you get is minimal and your best left to figure things out on your own

Some might argue, “well you should have spotted the 0.0.0.0” bind sooner and resolved it. Yeah I guess. But I didn’t expect multiple lessons to be giving wrong data – so I kept looking at myself (what did I do wrong?)

Most taking these courses are brushing up on skills and simply have day jobs. We can’t dedicate a lot of time to debug content we’ve paid for.

I pitched HTB to the owner of my company, but if he hit the same issues as me, he simply won’t have time to dig into it as I did and will likely ignore it. It’s a shame.

Pricing

The pricing is both a plus and a minus. On the plus side, it’s cheap to get started. $38 or less will get you a lesson or two (depending on the lesson). If you pick up a path like Bug Bounty, it will be paid for in 3 months worth of costs. But a path like Sr. Web Penetration Tester won’t be paid for until you cover 14 month’s worth of payments. That’s about $530. Is it worth it? I’m not sure.

Of course you can grab a lesson here or there, but a lot of people will be hoping for the certification. As certification goes, $530 is fairly cheap in comparison to Offensive Security, but how valued is it?

As for me, I’m more interested in learning new skills, picking up lessons here and there. From this perspective it is expensive. I would be dropping quite a bit of money on training, that is mostly text based with some good VM practice.

Text Based Training

For the price, I honestly think they should do simple video based training, like you’d get with a Udemy course.

Text based is fine, but it gets tedious. When it comes to training, seeing the attack is a lot more useful and powerful

Overall Review

Yes, some of the content is buggy. However, the VM’s are solid. They are wonderful to use and if you haven’t installed ParrotOS, you get a chance to play with it. If they had solid support, with few issues in the lessons, I’d give this a 5 star… but as it is, I’d say it’s a 3.5 star as you do get to play with vulnerable machines and see an attack vector but the lessons I bought had mistakes that required effort on my part to resolve (as support didn’t seem receptive).

Me

FF
EF

a moment now is worth a thousand moments from the before, or next.

letting go is the hardest, but most rewarding aspect of everything

© 2025 FF E4 • Powered by