Changelog
Follow up on the latest improvements and updates.
RSS
new
Academy
Enterprise
Master GraphQL attacks with a new Academy Module
Sharpen your API security expertise with Attacking GraphGL Module. In this offensive Module, you'll learn to:
- Identify common vulnerabilities in GraphQL implementations, including Information Disclosure, SQL Injection, and IDOR
- Exploit weaknesses in GraphQL queries and endpoints
- Strengthen your understanding of securing APIs against real-world threats
new
Academy
Enterprise
A new job-role path is live on HTB Academy
Did you know that 86% of data breaches involve stolen credentials? Active Directory (AD) is at the heart of modern IT infrastructure, making it a prime target for attackers. A breach can cost up to
$300,000 per hour
in downtime, that’s why mastering AD security is essential.The new
Active Directory Penetration Tester job-role path
offers advanced hands-on training in:- Navigating complex AD environments
- Identifying vulnerabilities
- Exploiting misconfigurations
- Mastering techniques for Kerberos attacks, NTLM relay, and much more!
Whether you’re a Penetration Tester, Security Analyst, or Red Team Operator, this path prepares you for real-world challenges in AD environments and builds upon competencies already acquired in the Penetration Tester job-role path.
Never miss a beat with our new notification system! It's designed to keep you informed and optimize your experience by focusing on:
- Seamless Lab assignments:When you're assigned to a new Lab or Space, a notification will pop up so you'll know exactly where to go next, without having to chase down your admin.
- Instant content updates:Stay informed as soon as new content is added to your Labs or Spaces. Notifications ensure you're always up-to-date with the latest materials without manually checking for updates.
- Progress milestones:Notifications will alert you when you reach significant milestones, such as completing a Lab or earning a certificate, so you can track your progress and take action without any delay.
- Streamlined navigation:Quickly access relevant pages with direct links provided in notifications. This feature simplifies task management and enhances team communication by integrating smoothly with other platform features.
new
improved
Capture The Flag
Build a new CTF event seamlessly on the HTB CTF Platform
Setting up a CTF event just got easier! Administrators can create their organization directly from the platform, bypassing manual setups and approvals – even before activating a subscription.
This means your team can dive into your CTF event without any delays. Check out how to get started.
new
improved
Capture The Flag
Enhance CTF events with AI-generated descriptions
Crafting the perfect event description can be a daunting task, particularly for new hosts.
To simplify this process, we’ve introduced a new GenAI feature that allows CTF hosts to effortlessly generate detailed event descriptions that cover all the critical information - how participants can join, the event rules, and essential links.
This feature addresses common questions like
"How do I sign up?"
and "Where’s the passcode?"
before they even arise.While these AI-generated descriptions are fully editable, they are designed to support hosts in creating clear, engaging, and informative events. Here’s how to use GenAI to generate event descriptions. Host your next CTF →
Three (3) new exclusive Machines landed in Dedicated Labs in August, focusing on CVE exploitation, Azure Key Vault, Path Traversal, and more!
- Identifierexploits an SSRF vulnerability in a Python app to retrieve an Azure Key Vault token, decrypt SSH credentials, and ultimately gain root access via command injection in an Azure Function App.
- Archiveexploits an Arbitrary File Read vulnerability to extract credentials from an SQLite database, then escalate privileges by uncovering an administrator password stored in a user-uploaded file.
- Shamanexploits CVE-2024-40628 and CVE-2024-40629 to gain access to a JumpServer by extracting FTP credentials. You’ll achieve remote code execution (RCE), reset the JumpServer admin credentials, and gain root access via SSH by leveraging MFA.
improved
Capture The Flag
Shape the future of CTF events by sharing your feedback
A new feature just landed on the HTB CTF Platform that lets you share your feedback directly with us! By sharing your thoughts, you help us improve the platform and ensure it’s tailored to your experience.
Here’s how you can do it:
- Navigate to the profile dropdown menu
- Select the Give Feedbackoption
- Choose your feedback type: Generic Comment, Bug Report, or Improvement Suggestion
- Enter your message
- Hit Submit
Imagine facing off against an AI bot that holds critical secrets – but won’t give them up easily. Can you outsmart the bot by creating intricate prompts?
💡Remember: As you progress, the AI becomes smarter and more guarded, requiring sharper wit, deeper understanding, and more creative thinking.
By successfully completing this Challenge, you’ll develop skills in prompt injection and model jailbreak, essential for:
- Identifying and defending against AI vulnerabilities
- Preparing tactical responses to secure business operations
- Staying ahead of emerging AI threats by understanding the latest attack vectors
new
Academy
Enterprise
New Web Fuzzing course on HTB Academy
Equip yourself with essential skills to identify and address hidden weaknesses in Web Applications with the new Academy Module:
Web Fuzzing
. In this Module, you'll learn:- The fundamentals of Web Fuzzing and its critical role
- Techniques for directory and file fuzzing
- Methods for parameter and value fuzzing
- Analyzing and filtering fuzzing results
- Validating and responsibly disclosing findings
- Fuzzing WebAPIs for comprehensive security testing
improved
Enterprise
Control Guest visibility and access in your organization Leaderboard
We’ve recently launched a new feature that allows admins to hide the Organization Leaderboard from Guests. When this feature is disabled, it ensures:
- Privacy by preventing Guests from viewing employees' and other Guests' usernames.
- Organization members can still view their rankings among their known peers.
This setting is turned off by default, but admins can enable it as shown below 👇
Load More
→