HackTheBox Academy Initial Impressions
by Agent_Tiro
The Academy
At the start of November HackTheBox released the Academy and I was lucky enough to get access a week early to check out the content and give some feedback. Following the launch I have continued on with completing content within the Academy and wanted to give some impressions on my experience with it.
The Academy is a seperate offering from HackTheBox that breaks topics down into Modules. At time of creating this post there are 21 Modules available, of which I’ve done 14 of them. These are split into four difficulties:
- Fundamental - consider these core skills modules or foundations you can build upon
- Easy - content that is good for beginners who have that foundation or fundamental knowledge
- Medium - content that is either at or above the level you would expect to know at OSCP level
- Hard - content that requires detailed understanding of the topic and will provide a challenge to complete
The site lets you filter by difficulty so you can quickly identify what is available for your desired skill level and get started. The wide range in difficulty levels does answer one of the criticisms that is often made about HackTheBox - that the content on the main site can be intimidating to absolute beginners. The Academy helps make that on ramp easier. There is even two modules designed to help users understand the skills needed to solve the sign-up challenge. The screenshot below gives an example of the site layout.
Module Content
All the modules I’ve done have had more depth to the content than I was expecting initially. Not only do you get the theory and how to perform the techniques discussed. There are exercises to complete that to demonstrate what has been explained. As you move through the module those exercises help you learn how to apply the technique effectively. This then culminates in a skills assessment at the end of a module. This skills assessment takes everything you’ve learned and puts you in a situation where you will need to bring it all together in a scenario. They are designed in such a way that the module content covers everything you will need, but you will have to apply some critical thinking on how best to apply them in order to achieve the objective.
So, what makes the content so good? As mentioned above the detail is incredibly thorough - a lot more than other similar online trainings I’ve seen and it is up there with well known certification related courses. Plus you don’t even need to use a virtual machine if you don’t have one setup already. You get access to the HackTheBox pwnbox to use for all the modules, and it is configured in a way that you have everything you need to complete the content and the targets you spawn are your own personal instance, so no finding other users artefacts that can spoil things.
The people who are working on the content are vey knowledgeable in their field and have been doing this for quite a while. There are also some guest contributors - for example the recently added SQL Map Essentials was made by the creator of the tool, and the Cracking Passwords with Hashcat module has had feedback and improvements from a member of the Hashcat team included. Ippsec has also been involved with some modules, and as much as HackTheBox is known for the pentesting side of security there is a real effort of also educating blue teams. Even in the offensive focused modules there are sections showing to how defend or detect these techniques in many of the modules. There are also dedicated defensively focused modules available with many more to come. Perfect for becoming a well balanced and knowledgeable security professional.
Sections in the modules are also linked into real world application of the techniques. Giving a good understanding of how to use them effectively during a real penetration test, and the exercises and skills assessments remind me of things I’ve done in real engagements in the past.
Cubes
The academy is split into different tiers. With each tier costing a different amount of cubes, and cubes can be purchased on a one off transaction or a subscription model. With varying amounts depending upon your requirements. As you complete exercises within a module and the final skills assessment you are rewarded with some cubes as well. The table below gives an overview of this.
| Tier | Cost | Reward |
|---|---|---|
| Tier0 | 10 | 10 |
| Tier1 | 50 | 10 |
| Tier2 | 100 | 20 |
| Tier3 | 500 | 100 |
| Tier4 | 1000 | 200 |
Upon signing up to the Academy you are gifted 30 cubes, and by completing the Intro To Academy you can gain an additional 10 cubes. This is enough to complete all of the Tier0 content - of which there are currently 10 modules. Doing them will give you a good indication of the quality on offer and from there on you can decide what you want to learn.
The cost of the cubes may appear expensive - especially for the high tier modules. But this is down to the perception of what you assume you are going to get. Many people are used to online training materials and a lot of it is very much the same and repeats the same content to the same level. The content available on the academy should be thought of as more on the same level that you would expect when you pay for a professional certification course - such as those offered by Offensive Security, SANs etc. You are not just paying for the educational content, but also the supporting infrastructure for the labs that lets you consolidate your learning. The bonus you get with this method is that you don’t need to spend large sums of money on a full course. You can pick and choose the elements that interest you the most.
Summary
I am really enjoying the content available so far in the Academy, and having had a few conversations with some of the staff making more content for it I’m excited to see what is in the pipeline for release. There is going to be something for everyone. It is good value for money and can help complete beginners learn the fundamentals, whether that is just to get better at CTFs or for any aspiring red teamers and blue teamers. It is definitely worth checking out, and give the tier 0 modules a try and any other that catch your eye.
If you need some guidance with any of them or just want to provide feedback then come chat to us on the discord
tags: