How to play Challenges

Last updated by 0ne-nine9 (admin)

Updated at October 29th, 2020

Challenges are bite-sized applications for different pentesting techniques. These come in three main difficulties, specifically Easy, Medium and Hard, as per the coloring of their entries on the list. However, the actual difficulty is rated by the users that have completed the Challenge and these range from Piece of cake to Brainfuck.

The purpose of Challenges is to both introduce new users to different concepts such as reversing, OSINT, steganography, etc., but to also challenge the more experienced ones with creative ways to resolve some of the more challenging entries on the sortie. 

Following the release of the new design of the Hack The Box platform, we are putting out guides on how to navigate the new interface.

Whether you’re a new player or a veteran in Hack The Box, this guide will give you some useful tips and guidance on how to play Challenges in the new layout.

Challenge categories

We host a wealth of Challenge typologies, ranging from very hands-on to very ephemeral, conceptual ones. The categories hosted on the platform are as follows:


Revolving around the art of reverse-engineering, this category will have you using reversing tools to find out what a certain script or program does in order to find the flag.


Miscellaneous Challenges that don't strictly fit into any other given category. Variety is key here but also the source of all the fun solving them.


Revolving around the art or finding or embedding hidden messages in plain-looking objects, the Stego categories will have you use steganographic tools and your detective intuition to search for the hidden flag. Don't trust your eyes.


Revolving around cryptographic functions, this category will have you decrypting objects which were locked away from the prying eye with up-to-date cryptological processes.


Revolving around web-based applications, this category will require you to detect, exploit and search through different vulnerable web applications. The themes of these Challenges are very intriguing.


Revolving around data recovery and forensics, this category will require you to nitpick at small details in recovery data batches to try to get to the bottom of what happened. A keen eye and a lot of patience will help you go along way as a forensic analyst. No CSI quotes included.


Revolving around publicly available data farming, this category will teach you how to laterally move between search engines' pesky algorithms to try to find the missing piece of the puzzle. Or maybe the missing person?


Revolving around binary exploitation and memory corruption, this category will have you creating exploits that'll make anyone lose their bits. 


Revolving around multiple types of handheld devices, this category will have you not only scrolling on social media to like our posts, but also analysing the intrinsics of different mobile applications to find the hidden embedded functionalities and flags.


Revolving around penetrating different hardware systems with your software, this category will have you analysing different attack methodologies for objects we use every single day, even if we know it or not. Turning it off and on again will not solve this problem, sorry.

Navigating to the Challenges page

From your dashboard, you’ll need to navigate to the left-hand side menu and click on Labs, then Challenges.

This will take you to the Challenges line-up page, where all controls required for you to play them can be found. This includes the file download button, flag submission controls, to-do list and more.

Note that in contrast with the Machines page, the Challenges page doesn't have any VPN controls. This is because the Hack The Box Challenges can be solved without a VPN connection. You must, however, download some files or connect to a docker container, depending on the Challenge type.


On the Challenges page, you will see the highlighted ones at the top. These can be the staff pick and the newly released Challenges


There are three menus that you can select from in order to filter through the lineup.

  • Active Challenges

  • Retired Challenges

  • Challenges To-Do List

Active Challenges

Most of the Challenges on our lineup are Active. This means that no walkthroughs are allowed for them as long as they stay in this state. These offer points to the user who completes them depending on their difficulty.

The difficulties and their respective point allowance are as follows:

Easy - 10 to 30 points

Medium - 40 to 50 points

Hard - 50 to 100 points

These values are not fixed and you might spot some special occurrences.

Retired Challenges

These look and behave the same as the Active Challenges, but do not offer you any points upon completion. However, they’re a good tool to learn what that category entails and what some of the ways of solving these are.

Challenges To-Do List

The Challenges To-Do List contains both Active and Retired ones that you’ve added to your own personal to-do list.

You can either add a Challenge to your to-do list by visiting its dedicated page, where you will find the option for the to-do list on the left-hand side menu.


Each of the above lists can be filtered according to your needs. The filter options are listed as drop-down menus above the Challenge entries in the respective list. These consist of the following:

  • Status (Complete, Incomplete, Both)
  • Sort By (Release Date, Name, Points, User Solves, Likes, Dislikes, User Difficulty)
  • Difficulty (Easy, Medium, Hard, Insane)
  • Category

The Category section offers users the possibility to select one of the Challenge categories: Reversing, Misc, Stego, Crypto, Web, Forensics, OSINT, Pwn, Mobile, Hardware.

Solving Challenges

Most of the Challenges require you to download a given archive that contains the starting materials for you to work on. Be they items that you need to reverse engineer, images for OSINT searches, images with hidden data inside of them, they will all require you to download and extract the files. All of them come in password-protected form, with the password being hackthebox

You can select a Challenge from one of the categories below the filter line. You should be able to see all of them if no filters are activated on the platform.

All the needed controls are on the Challenge's dedicated page.

Some Challenges come with their own Docker instances that you will need to boot up. Some come with archived files as mentioned above. Some come with both! Taking the example of You know 0xDiablos, this one has both options that you will need to explore and solve in order to finish the Challenge and find the flag.

In order to start an instance of the Docker associated with this Challenge, press on the Start Instance button. In order to shut it down, press the Stop Instance button. The host address that you will be interacting with, consisting here of a Docker instance, will be seen below the Stop Instance button once the container is up and running. 

From the same menu, you can also download the necessary files. All of them come in password-protected form, with the password being hackthebox

You can also submit the flag, add the Challenge to your To-Do list or view the Forum Thread for that respective one you're tackling.

Once you finish the Challenge and input the flag, you will need to select a difficulty rating before submitting. These will contribute to the overall difficulty graph above.

Note that the flags will always be in the format mentioned in the text box of the challenge. They will never deviate from that form: HTB{s0m3_t3xt}

Was this article helpful?

Can't find what you're looking for? Please contact our

Customer Support team