I’m so sick of the Hack The Box Academy website. It’s such a horrible, horrible website. Contacting them to report a problem is no help either. The people that respond are all about blaming the problem on you, or your computer, or your browser, or your ISP. They don’t even treat you like a paying customer. They act like you’re spending your own valuable free time to write them an email to lie about their website being broken.

New SSO Causes Constant Logouts

They made changes to add Single Sign On to all their websites a few months back and since then I can’t go for more that a couple of hours without having to re-login. Then, after I log back in, I have to figure out where I was and what I was doing before I was suddenly logged out. It’s totally jarring to say the least. Obviously they don’t care about their customers or else they’d have fixed the problem when I first told them about it months ago.

It took me six emails to get their tech-support people to acknowledge there was actually a problem. I sent them screenshots of all the console errors present just before I am logged out:

HTB - Console Errors

HTB - Console Errors

As a software engineer I can tell you from direct experience that a little bit of broken Javascript will make other Javascript not work too. They said all those red error messages are not a problem:

HTB - Console Errors Denial

What does “be logging in the following next days” mean? What are these people smoking?

In the end I got this email response:

HTB - Sorry, nothing we can do response

Not much we can do? How about changing the SSO timeout to something more reasonable than two hours? How about fixing the Javascript errors that could very well be causing the problem? How about actually caring about your PAYING customers?

I’m logged-in to literally dozens of other websites, using SSO, for months at a time, with no problems… using the same browser, the same computer, on the same internet connection. I have GB fiber and I’m not dropping any packets to anything I test. I’ve done everything they suggested and nothing helps. It’s their horrible website that’s broken.

Windows Hosts Connections

I can usually connect to their Linux machines without too much difficulty. The Windows machines, on the other hand, are completely broken. I can’t connect to most of them most of the time. Here’s a screenshot of what I get when I can’t connect:

HTB - xfreerdp can't connect

Emailing Hack The Box support to provide screenshots I am told to please use their browser-based attack box instead of my own local computer over their VPN. Ok, fine, why provide a VPN that you know doesn’t work?

But their own attack box doesn’t work either, I get the exact same error message:

HTB - xfreerdp can't connect

At this point I am told by Hack The Box support to try other remote desktop software, none of which works either. How am I supposed to learn about exploiting Windows when I can’t even connect to their Windows boxes?

At some point they suggested using the TCP version of their VPN configuration, instead of the UDP version. Doing this doesn’t help at all. It only makes the connection a lot slower, like you’re on dial-up, back in 1994. The UDP version of their VPN configuration is really the only option and the Windows connection issues don’t seem to care about the protocol type anyway.

I can connect to my own local Windows machine with xfreerdp with no problems using the same computer and same xfreerdp. The problem doesn’t seem to be on my end.

Quality Control on Content

There are a lot of errors with the Docker instances they have for you to spawn to do exploits on.

Like this morning for example. I started the XSS module and the very first example solution doesn’t work. I wasted 10 minutes trying with my own solution before giving up and having a look at their solution. And what do you know, their solution is exactly what I was already trying, it just didn’t work. Putting <script>alert(document.cookie)</script> in the blank and hitting enter doesn’t do anything. There’s no visible output anywhere.

I can’t begin to tell you how many times I’ve seen this same scenario. I try really hard, multiple times, to get something to work, only to find out that it’s the Hack The Box Academy content that’s broken. I’ve wasted so much time on Academy content that just doesn’t work.

Maybe it’s that super-duper high quality code Hack The Box writes:

HTB - HTML Errors

I’ll bet they can’t even spell “well-formed HTML”.

Not Worth the Money

I’m not sure if these are the people I want teaching me. They may know how to break stuff, but they are very lacking in quality control over the stuff they build. Using the Hack The Box Academy is a lot of wasted time and pain, just does not seem worth it.