TryHackMe vs HackTheBox. These two sites provide education to hobbyists, students and professionals in cyber security. But you may be thinking which one is the best for your style of learning?
What Matters To Me
When reviewing the two, I am not going to simply say one is better than the other. I am going to break it down into several categories; purpose, content, usability, reliability and paid-services. By doing this you can make a more educated decision on which one may suit you and be worthy of your hard earned subscription money.
Both sites have evolved greatly over the last 12 months. The good thing is both have significantly improved over that time. With increasing interest in cyber security, knowledge and training is being sought. Universities are providing certifications for these roles but with the amount of students in this field, the more knowledge you know, the better your job opportunities. The field is also vast, we are yet to see a single person that is the all powerful master of all that is Cyber Security. This is partly because the field is literally changing day by day.
So if you have got your degree, or you are looking to get your degree and want some foundational training, you are probably looking for a reliable, easy way to learn about cyber security.
When I originally (Over a year ago) joined HTB, I was greeted by a challenge. Hack your invite code! Which was actually a reasonably difficult challenge for a novice wanting to learn more about pen testing and cyber security. At the time of publishing this article however, HTB has a simple registration portal, much like any other. So although it was cool, I think with competition like THM they thought it was a better idea to get people in the door; then hit them with some challenges.
In November 2020 HTB released their Hack The Box Academy. This is the main area I am going to focus on as it really provides the same purpose as THM, and that is train people in cyber security. THM from when I first signed up has always had a simple signup service, and the learning modules are very similar to HTB. So both sites are providing the same purpose, but which one provides content in the way you want to learn?
HackTheBox is slowly moving towards more of a supportive learning platform than it once did, Where once you had to look through a random assortment of boxes to hack, with only a user score giving you an indication of how hard it was. Now there are learning tracks, challenges, battlegrounds and more to get your teeth into, very much moving toward teaching rather than throwing you in the deep end. Hack The Box Academy is really the platform that they should be promoting more on its main page as I feel it has the kind of content that most users are looking for when starting out.
Providing 5 tiers of training and a total of 34 modules created by the community and curated by HTB. The learning paths go from Linux Fundamentals right up to Linux privilege escalation and Intro to assembly language. Each part also requires a ‘cube’ payment to unlock, and completing other modules will reward you with ‘cubes’. There are also pre-selected learning paths to follow or you can select your own modules and complete them in the order you wish. They can also be filtered to show modules that are more suited to the direction you wish to go in cyber security, offensive or defensive. Bear in mind, some of this content is locked behind a paywall which be discussed later.
For more advanced users there is a significant library of over 200 boxes to hack of varying difficulty levels. HTB was built up originally over time with this library and it really has a broad range to attempt. The boxes combined with easy to access walkthroughs when you get stuck, is perfect for anyone that wants less of a learning path and just wants to smash boxes all day long.
TryHackMe focuses less on hacking boxes and puts you straight into learning. THM is far more of a hold your hand as you learn experience. The learning paths provided are Cyber Defense, Complete Beginner, Offensive Pentesting, CompTIA Pentest+, Web Fundamentals and the newly added Pre Security. A write-up for this new learning path can be viewed here. These learning paths give you an idea of how many rooms they contain and the estimated time to complete the learning path. Each path is then broken down into sections and made up of modules created by the community and curated by THM.
If following a learning path isn’t your thing then there is a library of 416 modules that are fully searchable covering a wide range of topics. Again, bear in mind, some of this content is locked behind a paywall which be discussed later. Both sites have a good amount of information for anyone wishing to get into studying. I do feel that THM eases you in a bit easier and has a wider range of beginner topics to start with. But if you are a more advanced users and are seeking a challenge then HTB will certainly provide that.
Starting with TryHackMe, the interface is very simple. It doesn’t try and give you lots of options from the get go. Select your learning path. Select the first module and then start going through the tasks. Each room will provide you with simple instructions and as you move through and your progress will be updated. One very nifty feature on THM is the way the answer fields provide an “answer format” hint. This saved us time many times with simple formatting issues. A simple yet appreciated feature.
Access to virtual machines is simple with their included browser accessible attack box (1hr per day) which will split the screen down the middle and allow you to complete the training paths without any other software. THM also provides VPN access if you want access with you own box. Paid subscription will also open up a bigger range of VPN servers and unlimited access to the attack box and a KALI attack box.
HackTheBox uses a very similar format. Unlock the module you want with your cubes. each section of the module is broken down into parts. Read through the content and complete the questions as you go. These answer sections don’t have a format hint in the submission boxes but they do have similar hints for difficult parts like THM.
Interactive sections of the modules also have boxes to spawn the HTB Pwnbox. Similar to the attackbox of THM this will give you a simple web interactive box to complete the challenge using Parrot OS. Without a subscription the amount of times you can launch the pwnbox instance is limited. This however is not a huge issue, because if you are learning cyber security, I highly recommend setting up a virtual machine with your own choice of OS and connect to either of these sites with the openVPN credentials.
Reliability is sometimes difficult to measure. Bad experiences can sometimes be caused by the user and not the site you are accessing. Once such user error involves checking if the VPN tunnel is still up in your instance as spawning multiple will have a detrimental effect. Some of these reliability issues are also “created” by the sites themselves to push you towards a subscription. From my experience the web based attack boxes on both sites have been very reliable, albeit frustrating when you run out of time if you don’t have a subscription.
In terms of reliability of the content in the learning paths, The quality of both sites is very high and I have noticed minimal to no errors overall. The content is very well curated and checked. I ran into no issues when entering answers into designated areas. VPN connection speed overall has been very high but users outside of the main server regions may suffer more lag than others.
The only other reliability issue I had was with the HTB free boxes as they are shared instances. But as I said earlier, most of these issues can be resolved with a subscription which I will discuss next.
Paid subscriptions. For some reason, paying for content really seems to put some noses out of joint. I would like to draw some comparisons and tell you why I think you should support and subscribe to these services.
A postgraduate degree in Australia, for example the Graduate Certificate in Cybersecurity will cost you around $15,000 by the time you have completed it. However some entry level certifications like the CompTIA Security+ and CySA+ will cost about $500 each. If you want to get started in this field then I recommend starting out by getting your feet wet with some of these entry level certifications and get involved in the industry and see if you need to move towards a University qualification or advanced certification. Some companies would jump at the opportunity to hire someone with drive and competency to learn than someone with big qualifications and no interest to learn further.
Now combine this with the training materials that TryHackMe and HackTheBox can provide. There is literally hundreds of hours of material at your fingertips with support and a community of tens of thousands to help you. How much do they cost you ask. THM offers a premium subscription at 8 pounds per month (~17 AUD) so for the cost of about $208 AUD a year you get the following upgraded features which I think will assist your learning.
HackTheBox is slightly more complicated as they have split their subscription model over their main site for hacking boxes and their academy website. The main site offers a VIP package and a VIP+ package prices at 10 pounds per month and 15 pounds per month respectively.
HackTheBox Academy is a bit more confusing as they change the currency to USD (can be adjusted if you hit one of the subscribe buttons) and offer 3 separate subscriptions and a special one if you are a student. I think a staged approach would be best if starting off to see if you are getting the value you want from HTB Academy you want before upgrading your subscription.
While value for money will depend on your skills and knowledge I do not want to understate the amount of work that these sites put in on the back end to make them run well with the demand they receive. It is not cheap to run the services they do and the fact that they provide free content is great in itself. But remember that the money you pay for a service like this is put back into servicing the community of cyber security and providing a platform that we can all learn and share upon.
So TryHackMe Vs HackTheBox? The main thing I want to get across here is that it is not about which site is better than the other. Both provide resources and training in a field that moves faster than we have ever seen before and one that is only going to get bigger. Get involved with the community and look at some of these modules that cyber security experts have created. If you get the value you need out of it and move up in the field please look at supporting sites like these as they need your support to keep evolving and come up with new ways to challenge us.
Both sites provide excellent resources for free so I recommend jumping into both of them. If you want to throw some money at them then the most cost effective one to start with is TryHackMe with their premium subscription. Then if you want to go and trying some of HackTheBox’s really challenging boxes then their VIP+ subscription is a good step to access some of the extra features.
Lastly, none of this was sponsored by TryHackMe of HackTheBox. This is purely giving back to the sites that have given us a tonne of information and fun over the last few years (Yes, Fun, When you hit that root flag, it tastes so good)
To access TryHackMe go to https://tryhackme.com/