The ADHD-HTB playbook: hacking the brain that hacks the box
Ten friction-bypassing study methods for grinding HackTheBox with an ADHD brain, plus the two of them I turned into real tools: a Swipe-to-Pwn Anki deck and an htb-operator shell.
A captured spark. Unverified, unpolished, possibly wrong.
The bottleneck on HackTheBox was never the boxes. It was the eleven minutes between deciding to hack and actually typing nmap. ADHD doesn’t tax the work. It taxes the transition into the work. So the real exploit target was never the machine. It was the activation energy, and this whole playbook treats my own attention as the box to pwn.
What this is
Ten methods, each built to bypass one specific failure mode of the ADHD brain instead of trying to “fix discipline.” They fall into five categories, because each one is a different lever:
- Doomscroll-flipping turns the dopamine slot machine against itself: a Finsta-of-Doom feed of enumeration prompts, swipe-to-pwn reps. If the thumb is going to scroll regardless, point it at attack paths.
- Kinetic hacking chains cognition to the body. Squat while the Nmap scan runs. Pace the attack tree out loud. The fidget is the focus, not a distraction from it.
- Gamification bolts a second, faster scoreboard over the slow one: Ironman roguelike runs, a Forfeit Heist where stalling costs you something that actually stings.
- Friction-bypassing micro-commits shrink the doorway to something the brain can’t talk itself out of: a 90-Second Terminal Tax, a Loaded Gun left chambered from last session so there’s no cold start to dread.
- Sensory anchoring gives the state a physical handle: a 140 BPM pwn liturgy, a texture totem that means we are working now.
It closes on the meta-protocol: how to stack methods without burying yourself, and how to ride out the RSD spike when a box stonewalls you and the lizard brain files it as personal failure instead of what it actually is, a closed port.
The whole thing is the attacker’s mindset swung around to face inward. Find the trust boundary the system is hoping you’ll skim past, except this time the system is me and the boundary is the exact moment I open a new tab instead of a shell.
What got built
Two of the ten concepts graduated from idea to working tool in a single sitting:
- Swipe-to-Pwn Anki deck (
.apkg, 54 cards). Decision-format flashcards: the front is a signal you’d actually catch on a box, the back is the attack path it implies. Port and service enumeration, web-app tells, Linux and Windows/AD privesc, plus a handful of mindset cards. It’s pattern recognition compiled down into spaced repetition, so the lookup hardens into a reflex. htb-operator.bashrc, a paste-ready shell config. Apwnlauncher that is the Terminal Tax, recon functions with squat reminders wired in, anote/nextsystem for leaving the Loaded Gun chambered, andresumefor a zero cold start. Plus quick helpers and tmux-resurrect notes, so a dropped session doesn’t reset the activation cost back to maximum.
Open thread
Still on the bench: a one-shot installer that checks for and grabs the missing tooling (ffuf, gobuster, seclists, evil-winrm, and friends) so a fresh box never stalls on a command not found. Which is just the same thesis wearing a different hat. Every missing tool is a transition cost, and transition cost is the only enemy in the room.
The honest question this whole project is really testing: does engineering the environment beat trying to engineer the willpower? My bet is the environment wins every time, which is why this lives next to the quest log and not in some productivity-shame journal. Reps logged, not resolutions made.
Paths that lead here
- You will never know enough, and that's the job · Imposter syndrome in security isn't a character flaw; it's an accurate readout of an unbounded field, misfiled as a personal deficiency. The fix is a traversal strategy, not more knowledge.
Where this note points
- The attacker's mindset is systems thinking · Attackers don't break rules; they discover that the rules compose differently than the designers believed.
- CTF field notes: the web category · A running log of web challenges: patterns that repeat, traps I fell into, and the meta-skill CTFs are secretly teaching.
- Learning in public · The operating philosophy of this whole garden: publish the process, not just the conclusions.
More from these beds
- Metacognition, Eileen Gu, and the Fear of Going Public · The thing elite performers and good thinkers share is not raw talent; it is metacognition, the skill of watching your own mind. Here is what it is, why putting yourself out there feels so irreversible, and why the spotlight effect means it matters less than you think.
- The Dead Internet and Your Pattern-Hungry Brain · That creeping sense that the internet is mostly bots talking to bots has a name. Here is why the feeling is partly real, partly a trick your own mind plays, and what apophenia and the illusory truth effect are doing to you while you scroll.
- Explaining Without the Lecture · I got called a bad explainer, and I think I earned it. The fix isn't reading minds. It's the curse of knowledge, Grice's maxim of quantity, and treating an explanation like a game of catch instead of a monologue.
- The Diamond Lock: Writing Notes a Future Robot Can't Read · Quantum computers will slice through today's internet locks like a laser through glass. Inside the race to build math even a future super-machine can't crack: public-key crypto, Shor's algorithm, and the diamond lock.