Hack The Box
Roadmap
Feedback
Changelog

Changelog

Follow up on the latest improvements and updates.

RSS

new

Capture The Flag

Defensive

New Threat Range Scenario - ClickRat

ClickRat simulates a real-world SOC investigation into an Active Directory workstation compromise orchestrated by an Initial Access Broker (IAB).
After being lured to a convincing but deceptive Web portal, an MIRAI HR staff member unknowingly sets off a silent compromise on their workstation. As the team responsible for safeguarding the organization, you must work together to uncover the hidden foothold the attacker has established, trace their quiet expansion of control, and prevent your environment from becoming a target for further exploitation.
This environment is composed of critical infrastructure components typically found in a corporate network and together with your team, you will collaborate to:
  • Triage alerts
  • Investigate suspicious activity
  • Investigate forensic evidence
  • Identify the impact to your organisation
Screenshot 2026-01-23 at 8

new

Enterprise

Offensive

Defensive

New exclusive content available on Dedicated Labs

New exclusive content has been released on Dedicated Labs which feature an end-to-end compromise of a modern automation platform as well as observed activity by real ransomware groups in the wild.
Rusty | Exclusive Sherlock
This Sherlock is based on a real-life Ransomware and data exfiltration incident on a corporate network documented by the Triskele Lab DFIR Team, a Hack The Box partner. You will utilize several artifacts from two triage images and correlate the data to create a timeline and understanding of the whole incident.
Screenshot 2026-01-21 at 8
BloodFlow | Exclusive Machine
A Very Easy Linux machine that demonstrates an exploit chain leading to unauthenticated RCE on a n8n workflow automation platform via two CVEs: CVE-2026-21858 (Ni8mare) and CVE-2025-68613.
Screenshot 2026-01-20 at 12

new

Labs

Offensive

New time-efficient Pro Labs available on HTB Labs

Control, Push, Sidecar and Intercept are now available on HTB Labs!
Control
and
Intercept
are small Active Directory scenarios that simulate configuration gaps in enterprise systems.
  • Control (2 machines, 3 flags) focuses on multi-stage attacks involving web exploitation, abuse of management tooling (OSCTRL / osquery), and operational misconfigurations
  • Intercept (2 machines, 2 flags) covers common AD weaknesses, demonstrating relay and authentication coercion attacks to gain domain access
Skills you’ll build:
  • Web exploitation and container escape
  • Credential discovery and misuse
  • NTLM relay and authentication coercion
  • Active Directory Certificate Services (ADCS) abuse
Screenshot 2026-01-20 at 1
Sidecar
and
Push
are small Active Directory scenarios simulating real-world Windows environments (2 machines, 2 flags each).
  • Sidecar focuses on PKI abuse, certificate-based persistence, and shadow credentials for stealthy lateral movement
  • Push explores advanced techniques like ClickOnce exploitation, SCCM coercion, and ADCS Golden Certificate attacks
Skills you’ll build:
  • Shadow Credential and Kerberos attacks
  • Privilege abuse and malicious shortcut files
  • ClickOnce and SCCM exploitation
  • ADCS Golden Certificate attacks
  • Advanced lateral movement in Windows environments
Screenshot 2026-01-20 at 1

new

Labs

New ICS Challenge category

We’ve added a new ICS challenge category which includes 11 hands-on challenges covering OT, ICS, and SCADA systems.
Designed for professionals of all experience levels, users will learn how to:
  • Analyze, interact with, and exploit common and custom ICS protocols (e.g., Modbus, EtherNet/IP, S7comm, OPC UA, serial) to extract data and manipulate control logic
  • Enumerate PLC memory, registers, tags, and I/O to disrupt, restore, or alter industrial processes, understanding the real-world physical impact of changes
  • Execute realistic attack paths across water, manufacturing, chemical, and energy environments
  • Regain control of compromised ICS environments during active incidents, including HMI outages, malware infections, and sensor/logic corruption
ICS Gif

new

Labs

Offensive

Dedicated Machines are now live for Free & VIP users

HTB Labs has moved to fully
Dedicated Machine instances
. That means no more shared Machines. Every session is yours from start to finish.
This upgrade applies to all
Free and VIP users
, but you’ll need to take one quick step to keep playing.
What’s changing
:
  • VIP Servers are being retired
    on January 15th. Free and VIP users will connect to the dedicated instances through a unified access.
  • From Jan 15th onwards, Machines will now run exclusively on Dedicated Instances
    , meaning no more interference from other users and a better experience for you.
  • To stay connected
    , you must
    download new VPN keys
    from the Connect menu. Your current VIP keys will stop working after January 15th.
  • New Machines
    ? You’ll need to connect to them via the
    Release Arena
    . It’s your gateway to the latest content, and it comes with its pre-spawned dedicated environment.
This shift lets us deliver a faster, more reliable platform and produce more content for you on HTB Labs.
Dedispawn Release - 1200x675

new

Labs

Enterprise

Defensive

Investigate CVE-2025-55182 in new CVE Sherlock

On December 29, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14847 to its Known Exploited Vulnerabilities (KEV) catalog, and only a few days later, the MangoBleed Sherlock was released.
In HTB’s newest CVE Sherlock, you’ll be tasked with handling a high‑priority incident involving a suspected compromised server hosted on mongodbsync, a secondary MongoDB server.
After receiving root-level access to facilitate your investigation, you’ll perform a rapid triage analysis of the collected artifacts to determine whether the system has been compromised, identify any attacker activity (initial access, persistence, privilege escalation, lateral movement, or data access/exfiltration), and summarize your findings with an initial incident assessment and recommended next steps.
Screenshot 2026-01-08 at 3

improved

Labs

“In Progress” tab updates in HTB Labs

The “In Progress” tab in HTB Labs now gives users a more accurate view of what is actively being worked on by showing progress the moment a user starts engaging with content rather than only showing progress after milestones have been achieved.
What’s new
  • Challenges: Added to "In Progress" as soon as you download or spawn
  • Sherlocks: Added to "In Progress" as soon as you download any task
  • Starting Point Machines: Added to "In Progress" as soon as you spawn (same logic as Machines)
Cleaner, more relevant list
  • Items are not shown if completed
  • Items can be removed from “In Progress” via the new button on each card
  • Items are ordered by type first, then by most recently added
Machines appear much earlier
  • Machines now show in "In Progress" the moment they are spawned, instead of waiting until a user gets a flag
image (41)

new

Enterprise

Offensive

Defensive

New Exclusive content available on Dedicated Labs

New exclusive content has been released on Dedicated Labs which features a vulnerable web application as well as data and triage acquisition from Windows Endpoints.
SuperHero | Exclusive Sherlock
This Sherlock provides players with an opportunity to use KAPE for Forensic Triage acquisition from Windows systems. Players also get to explore the structure of KAPE images, utilizing different types of targeted acquisition.
Screenshot 2026-01-05 at 9
Infection | Exclusive Machine
An Easy Linux machine featuring a web application vulnerable to an SQL injection flaw in the Django framework (CVE-2025-64459).
Screenshot 2026-01-05 at 9

new

Academy

Enterprise

Defensive

Discover WMI (Windows Management Instrumentation) based attack and analysis techniques in new Academy module

The
WMI Tradecraft Analysis
module provides a deep technical analysis of WMI tradecraft from both attacker and defender perspectives. While completing the module, you will learn how WMI is abused for execution, lateral movement, persistence, and stealthy backdoor deployment, as well as how to detect, hunt, and investigate malicious WMI activity using logs, ETW, and low-level artifacts.
Key learning outcomes:
  • Understanding WMI architecture and execution flow, including providers, namespaces, repositories, and COM-based service activation
  • Querying and analyzing WMI data using PowerShell to assess system configuration, processes, and services
  • Identifying malicious and anomalous WMI activity by examining execution context, process relationships, and remote usage patterns
  • Mapping WMI abuse to MITRE ATT&CK techniques and applying monitoring strategies to detect lateral movement, living-off-the-land execution, and persistence in Windows environments
WMI Tradecraft Analysis (1)

new

Enterprise

Defensive

Nine LetsDefend courses added into HTB Academy

HTB Academy’s defensive portfolio just got deeper, sharper, and more job-aligned with the addition of nine LetsDefend courses.
These new modules strengthen critical defensive capabilities across the workflows defenders rely on every day, including PKI, malware analysis, threat frameworks, network traffic analysis, DFIR, and threat hunting across SIEM, DNS, and IPS/IDS environments.
Courses included in this release are:
  • Public Key Infrastructure
  • Identifying Threats and Malicious Software
  • MITRE ATT&CK Framework
  • Cyber Kill Chain
  • Network Packet Analysis
  • DFIR with EDR
  • Threat Hunting with SIEM
  • Threat Hunting with DNS
  • Threat Hunting with IPS/IDS
Screenshot 2025-12-18 at 11
Load More