Hack The Box
Roadmap
Feedback
Changelog
Back to changelog
Powered by Canny

new

Enterprise

Offensive

Defensive

New exclusive content available on business plans

Six (6) new exclusive releases just dropped on Dedicated Labs, featuring CVE exploitation, AD delegation abuse, MITRE-based threat hunting, and unauthenticated RCE in modern web stacks.
  • Surcery | Exclusive Machine:
    Exploit CVE-2025-32463 by abusing the -R flag in sudo to load a malicious shared library via NSS and escalate privileges to root.
  • Oyako | Exclusive Machine:
    Chain Spring Boot RCE, Resource-Based Constrained Delegation, and AD Trust misconfigurations to escalate from child to parent domain controller.
  • VulnAir-1 | Exclusive Sherlock:
    Explore the TTPs of APT group LazyScripter through the MITRE ATT&CK framework to sharpen threat intel and hunting capabilities.
  • VulnAir-2 | Exclusive Sherlock:
    Investigate threat actor Chimera using MITRE-based analysis and real-world detection workflows for blue teams and SOCs.
  • LootLagoon | Exclusive Challenge:
    Exploit CVE-2024-56145 in Craft CMS via Twig template injection over FTP for unauthenticated RCE.
  • RansomNet | Exclusive Challenge:
    Abuse CVE-2025-48828 in vBulletin to gain RCE by bypassing access controls and injecting templates through the API.