Linux Hardening Expert (LHE) - HackTricks

Cover Image for Linux Hardening Expert (LHE) - HackTricks
Marmeus
Marmeus

Introduction

On March 27, 2026, I successfully achieved the Linux Hardening Expert (LHE) certification by HackTricks. I have built a great relationship with the HackTricks team, collaborating with them to refine this new certification and help increase its prominence within the cybersecurity community. Because of this firsthand involvement, I want to share my personal experience with the course and exam.

This post provides a unified overview of the course structure, the lab environment, and the exam itself, along with practical tips for anyone looking to sharpen both their offensive and hardening skills in Linux.

The Course Structure

While the course includes a foundational section dedicated to Linux Basics, covering the terminal, OS structure, and standard permissions, spending too much time here might eat into your 60-day lab access. If you have already spent time installing your own Linux distributions and learning the ropes independently, you can easily skip the basics and jump straight into the core material.

As a prerequisite, you should comfortably know how SSH works and how to navigate the terminal efficiently, as you will be doing this constantly.

Once you redeem your voucher on the website, your 60-day countdown begins. During this time, you will dive into the following core domains:

  • Main System Information: OS & Kernel, Sudo, PATH variables, Disks and Mounts, Inodes, symbolic/hard links, and File Descriptors.

  • User sessions

  • Interesting File Permissions: SUID & SGID Binaries, Capabilities, ACLs, ld.so , and other sensitive locations.

  • Network Information: Interface Discovery, Local Service Exposure, Network & Port Discovery/Enumeration, Sniffing, Firewalls, and Egress/Connectivity Testing.

  • Software Information: Web Technologies, Exposed Applications, Authentication Mechanisms, Access Control, Databases, and Credentials/Cryptographic Material.

  • Processess, Contrab, Systemd, D-Bus: Process Enumeration, Memory & Open Files, Cron Jobs/Scheduled Tasks, and D-Bus Enumeration/Abuse Paths.

  • Containers & Namespaces: Container & Namespace abuse, Kernel Protections for Containers/Runtimes, Control Plane, Image Security, and Distroless Security.

  • Cloud: AWS, GCP & Azure Metadata Enumeration

Unlike other HackTricks certifications that rely heavily on slides, the LHE course materials are highly robust, featuring video content alongside deeply documented text.

The Lab Environment

The course features nearly 150 practical labs where you apply what you have learned. Tasks range from simple file enumeration to compiling custom kernel modules to retrieve a shell. My biggest advice here is to strive to obtain a shell in every single lab, as this hands-on exploitation is exactly what you will need to succeed on the exam.

To help students navigate these challenges, the platform provides three main support systems:

  • Integrated AI Chatbot: By far the best feature of the course. It is perfect for answering quick questions, offering guidance, or debugging lab errors. However, do not blindly trust it to generate fully functional Exploits (PoCs). More often than not, you will need to combine the theory examples with PoCs from the HackTricks Wiki.
  • Lab Walkthroughs: The official solutions show you step-by-step how to solve the challenges, though you will still need to reverse-engineer the "why" behind them. At the time of writing, only ten official walkthroughs are live, but the team plans to add more to cover the massive volume of labs.

Note that unlike other HackTricks certs, this course lacks a dedicated "White Box/Black Box" pre-exam network simulation. Because of this, I highly recommend building your own enumeration methodology. Each main section relies on similar enumeration techniques; take detailed notes on them so you can easily deploy them during the exam.

The Exam Experience

The exam mirrors the format of the OSCP. You are provided with 5 virtual machines, each containing a single flag. Your goal is to gain an initial foothold, escalate privileges, and perform lateral movement to retrieve the flags.

Like other HackTricks exams, you are given a 12-hour window, but the LHE stands out because you must capture 5 distinct flags to pass. The exam layout is completely non-sequential, meaning you can attack the machines in any order and easily hop to a different target if you hit a wall.

My personal exam experience was incredibly smooth. There are no frustrating rabbit holes to get lost in. In fact, once you establish access to a machine, a clear "goal message" is displayed to help guide you toward the flag. The 12-hour limit was more than generous; the exploitation paths are derived straight from the theory and the labs, though they will require minor tweaks to adapt to the specific environment.

The Exploitation Loop

When taking the exam, it helps to follow a cyclical methodology. If you ever feel stuck, refer back to this loop to refocus your efforts:

  1. Map Your Privileges: Analyze the groups, privileges and commands your user can execute.
  2. Enumerate Resources: Search for internal endpoints, configuration files, or sensitive locations your current user can read, write, or modify.
  3. Exploit the information: Leverage your findings to execute a privilege escalation vector or move laterally to another user.
  4. Repeat: Once you land on a new user, immediately return to Step 1 and map your new permissions.

Conclusion

Is the LHE certification worth it? It is an excellent choice for newcomers to cybersecurity who want to build a rock-solid foundation in Linux systems, providing a deep dive that goes well beyond what the OSCP prepares you for.

At €350 (compared to the €1,000 price tag of other HackTricks certs), it is highly affordable, and students can even grab an additional 20% discount to make it even more accessible. I was pleasantly surprised by how deeply they covered the "Sudo" and "Containers" sections, as well as the unique focus on manipulating inodes and kernel modules.

Furthermore, the HackTricks team is incredibly responsive and always eager to hear constructive feedback and community critiques to improve the certification. If you are new to cybersecurity and looking for a definitive place to start your Linux pentesting journey, this is the cert to pick.