The most annoying part of penetration testing so far is the training box instability. For example on Hack The Box Academy, I’ll be working on a box and then it will go down and stop responding, for no apparent reason. It’s not just an occasional thing, it happens all the time. I’ve tried re-downloading my VPN config file and I’ve tried avoiding different times of day, etc., but nothing seem to make a difference.

It’s frustrating to be in the middle of something and then have the box go down. When I reset it I have to start all over again. The deeper I go into training the longer it takes to get back to where I was. It’s a real time sink.

Another very annoying thing is getting different NMAP scan results on the same box in between resets. Just this morning I was looking for an open FTP port and found nothing. I scanned again and got nothing, again. Meanwhile, the course module is telling me there is an open FTP port and to go find it. So what can I do? I reset the box and ran the exact same scan a third time and like magic an FTP port showed up! I’m not sure what’s going on there, but it’s very frustrating.

As a long-time software engineer, I’m used to things being more stable and predictable. This is not that. Sure, things crash and break sometimes in software engineering, but it’s usually because of something I did. In this case, it’s not me.

Maybe I should just factor the instability into the equation. Do my initial NMAP scan, and then a box reset followed by a second scan. That way I can maybe be sure I’m not missing anything?

I think “try harder” may actually just mean “reset the box”. But in the real world I can’t imagine asking the client to please reset their box, so I can try harder.