The SaaS Integration - Essentials pack immerses players in hands-on exploitation of real-world SaaS and government web applications, exposing practical vulnerabilities across OAuth flows, token management, webhook validation, access controls, and server-side template injection.

Included in this pack are 10 challenges that progress from quick wins (client-side cookie forgery, hardcoded service key extraction) through intermediate challenges (OAuth redirect abuse, webhook signature bypass, IDOR-based password reset, mass assignment privilege escalation) to advanced scenarios (token chaining across diagnostics and logs, VBA macro phishing document analysis, and server-side template injection via file upload).

Each challenge is self-contained yet narratively connected, simulating a real red team operation, Operation Grantfall, across ten Norland government portals, each representing a distinct SaaS integration failure. The scenarios mirror the analytical workflow of penetration testers and AppSec engineers assessing government and enterprise SaaS deployments.

By completing this pack, you will exploit OAuth and token vulnerabilities, bypass webhook and payment controls, master access control and privilege escalation attacks, and chain advanced server-side vulnerabilities across interconnected SaaS portals.

Set up your next CTF.

A new , Persistence Tradecraft Analysis, is now available on HTB Academy. This course provides an in-depth look at Windows persistence mechanisms, covering everything from their role in the attack lifecycle to detection and investigation.

Throughout this module, you will explore how adversaries abuse legitimate system features like Scheduled Tasks, Windows Services, and Registry-run keys to ensure that malicious code executes automatically. The content focuses on identifying system artifacts left behind by attackers and translating that knowledge into reliable, effective detection rules for real-world environments.

Just days after two critical vulnerabilities were disclosed, you can now explore how they are exploited in the Snapped machine.

The foothold demonstrates CVE-2026-27944 in Nginx-UI, where the /api/backup endpoint is accessible without authentication. This endpoint returns a full backup of nginx and Nginx-UI configuration files, along with the key required to decrypt the backup via response headers, allowing you to recover a weak user password from the Nginx-UI database file.

After gaining initial access, the machine shifts focus to privilege escalation through CVE-2026-3888, a TOCTOU race condition between snap-confine and systemd-tmpfiles. The challenge involves the deletion and recreation of a temporary mimic directory under /tmp, where an attacker must race the cleanup process by recreating the directory with controlled content and influencing execution timing via AF_UNIX socket backpressure during the bind-mount sequence.

By successfully winning the race condition, you can poison the sandbox’s shared libraries and leverage dynamic linker hijacking against the SUID-root snap-confine binary. This ultimately enables full system compromise, demonstrating how misconfigurations and race conditions can be chained together to escalate from initial access to root.

New exclusive content has been released on Dedicated Labs featuring active directory attacks, vulnerability chains, and container breakouts.

Trustful is an easy Linux machine featuring a vLLM RCE (CVE-2026-22807) and a telnetd auth bypass (CVE-2026-24061). Attackers exploit a public MinIO bucket in a CI/CD pipeline by uploading a malicious model config with a poisoned auto_map entry. This grants RCE within a Docker container. A vulnerable Telnet server on the host then allows a container breakout to gain root access.

This Sherlock provides players with an opportunity to utilize Elastic SIEM to detect and hunt for two critical Active Directory attacks: DCSync and Kerberoasting. The Sherlock takes players through the full cyber kill chain.

BlueTide Marine requires a two-stage vulnerability chain. The first stage abuses Traefik path-matcher behavior (CVE-2025-66490) to reach a protected Signal K websocket path. The second stage abuses command injection in @signalk/set-system-time (GHSA-p8gp-2w28-mhwg / CVE-2026-23515) to execute commands and retrieve the flag.

The OWASP Top 10 for LLMs – Essentials pack immerses players in a synthetic intelligence complex where ten autonomous gatekeeper models each embody a critical real-world LLM vulnerability.

Included in this pack are 10 challenges that progress from foundational attack techniques (prompt injection, information disclosure, system prompt leakage) through intermediate exploitation (supply chain compromise, data poisoning, excessive agency abuse) to advanced scenarios (vector database poisoning, RAG exploitation, overreliance bypass, and inference timing attacks).

Each challenge is self-contained yet narratively connected, mirroring how security engineers audit and break production-grade AI systems. The scenarios reflect real-world failure modes across the OWASP Top 10 for LLMs, including prompt manipulation, insecure output handling, training pipeline compromise, and unbounded resource consumption.

By completing this pack, you will master LLM exploitation techniques, understand how modern AI systems fail under adversarial pressure, develop hands-on experience attacking RAG pipelines and vector databases, learn to identify and exploit AI supply chain risks, and build practical red team capabilities against LLM-powered applications.

Set up your next CTF.

The path introduces learners to the most critical security risks affecting modern mobile applications.

Featuring 10 hands-on challenges inspired by real-world scenarios, participants will develop practical skills in analyzing mobile apps, understanding how mobile architectures operate, and identifying weaknesses that can impact application security.

With challenge difficulty ranging from Easy to Medium, this path helps learners build the knowledge and methodology required to assess mobile applications and uncover security issues commonly encountered in modern mobile environments.

These latest updates to the User Management tab streamline team assignment by allowing Admins on HTB Enterprise Platform to bulk-add users to new or existing teams.

With the new unified “Add to Team” action, you can create new teams with a selected set of users or quickly add those users to an existing team using search. This makes team management faster and more efficient at scale, especially for large organizations handling recurring user assignments.

HTB Academy certificate holders now have access to dedicated, public-facing pages for every certification earned. These pages offer a professional, verifiable way to showcase your technical expertise to employers and the community.

Users can access these pages directly through their HTB Profile. Clicking on any earned certificate credential takes you to that certificate's dedicated public page.

Key features include:

The HTB Academy platform has officially migrated to Academy 2.0. This update establishes the new interface as the primary environment for all learners. It’s faster, smoother, and built to power the next wave of content, features, and skill progression.

The previous interface has been retired to ensure a unified experience across the platform.

Shinra is a full-scale, medium-difficulty scenario consisting of 14 Machines and 12 flags. It demonstrates how covert techniques can bypass EDR, avoid SOC detection, and abuse trusted systems. Designed for users who want to transition from pentesting to red team engagements.

We have also released two Mini Pro Lab scenarios: