It’s very difficult for a beginner security analyst, especially when it comes to the intrusive security field, to find good study resources. Starting from the principle that in security there are many other sub-areas of study like Penetration Testing (such as web app, network, wireless, mobile), forensics, reverse engineering, cryptography, etc, it becomes even more difficult to choose one and then find proper study resources.
Another thing is finding actual study environments and labs. Every pentester would generally say that you learn hacking by hacking, which for most beginners will be hard as they don’t generally have the knowledge necessary to build their own pentesting/hacking environments. Most beginners try to start hacking using public Internet resources, which will eventually get them in jail due to the several laws they will eventually break by attacking resources they don’t have previous permission to test.
With that thought in mind, I’ve decided to gather a list, as complete as I could make it, with all vulnerable pentesting apps, labs, online challenges, in other words, any resource that can be used to learn and test your security skills in a safe environment, without breaking any laws. The list is categorized based on the type of application (Web App, War Games, Capture the Flag, Insecure Distributions, etc). Due to the number of resources, I won’t be doing any reviews as it would make this post a lot bigger and make it very extremely boring to read. I will review every app eventually in future posts, at least for the ones that I feel are most relevant.
As I don’t know every pentesting insecure app on the planet (actually nobody does), feel free to contact me for any new resource, corrections to my list. Also please let me know if there is any correction to be done or links to be replaced if not working.
Notice that this post is intended to present the many different resources so you can test your hacking skills, this post doesn’t present the tools used to exploit them. Also on the PRICE column, follow this color code:
- $$$: Paid Resource
- $$$: Free Resource
- $$$: Resources that offer free content, and also a paid subscription for additional content
And here we go …
War Games
This section presents resources for WarGame and misc type challenges websites.
Resource Name | Company / Owner | Language | Price | URL |
Hell Bound Hackers | Hell Bound Hackers | English | $$$ | https://www.hellboundhackers.org/ |
Pentestit | Penetration Test Labs | English | $$$ | https://lab.pentestit.ru |
Crackmes | S4R and Bonclay | English | $$$ | https://crackmes.one |
Root-me | Root-me | English | $$$ | https://www.root-me.org |
Tuts 4 You | Tust 4 You | English | $$$ | https://tuts4you.com |
Smash the Stack | Smash the Stack | English | $$$ | https://www.smashthestack.org |
Over the Wire | Over The Wire | English | $$$ | https://overthewire.org/wargames/ |
Hack This Site | Hack This Site | English | $$$ | https://www.hackthissite.org |
Hacking Lab | Hacking Lab | English | $$$ | https://www.hacking-lab.com |
Hacker101 | HackerOne | English | $$$ | https://ctf.hacker101.com |
Malware-Traffic-Analysis | Malware Traffic Analysis | English | $$$ | https://malware-traffic-analysis.net |
Practical Pentest Labs | Practical Pentest Labs | English | $$$ | https://practicalpentestlabs.com |
The Dead Lock Empire | The Dead Lock Empire | English | $$$ | https://deadlockempire.github.io |
The Crypto Pals | The Crypto Pals | English | $$$ | https://cryptopals.com |
SlaveHack | SlaveHack | English | $$$ | https://www.slavehack2.com |
EnigmaGroup | EnigmaGroup | English | $$$ | https://enigmagroup.org |
Android Labs | Security Compass | English | $$$ | https://securitycompass.github.io/AndroidLabs/index.html |
TryHackMe | TryHackMe | English | $$$ | https://tryhackme.com |
Defend The Web | Hack This | English | $$$ | https://defendtheweb.net/ |
Bright Shadows | The Black Sheep | English | $$$ | https://www.bright-shadows.net |
Try2Hack | Try2Hack | English | $$$ | http://www.try2hack.nl/ |
Praetorian | Praetorian | English | $$$ | https://www.praetorian.com/challenges |
PwnerRank | PwnerRank | English | $$$ | https://www.pwnerrank.com |
SEED Labs | SEED Labs | English | $$$ | https://seedsecuritylabs.org/labs.html |
id0-rsa | id0-ra | English | $$$ | https://id0-rsa.pub/ |
LMG | Network Forensics Puzzle Challenges | English | $$$ | https://forensicscontest.com |
Hacker Project | Hacker Project | English | $$$ | http://www.hacker-project.com |
Hacker Forever | Hacker Forever | English | $$$ | https://www.hackerforever.com/ |
Net Force | Net Force | English | $$$ | https://net-force.nl |
Shelter Labs | Shelter Labs | English | $$$ | http://shellterlabs.com/ |
BackDoor | SDSLabs | English | $$$ | https://backdoor.sdslabs.co |
We Chall | We Chall | English | $$$ | https://www.wechall.net |
XSS Game | English | $$$ | https://xss-game.appspot.com | |
Exploit-Exercises | Exploit-Exercises | English | $$$ | https://exploit-exercises.com |
W3Challs | W3Challs | English | $$$ | https://w3challs.com |
Ring Zero Team | Ring Zero Team | English | $$$ | https://ringzer0team.com/challenges |
Challenges | KaoLabs | English | $$$ | https://challenges.ka0labs.org |
PWNABLE.KR | PWNABLE.KR | English | $$$ | http://pwnable.kr |
REVERSING.KR | REVERSING.KR | English | $$$ | http://reversing.kr |
MicroCorruption | MicroCorruption | English | $$$ | https://microcorruption.com/login |
Hax Tor Hu | Hax Tor Hu | English | $$$ | http://hax.tor.hu/welcome |
Counterhack | Counterhack | English | $$$ | http://counterhack.net/Counter_Hack/Challenges.html |
Mod-X | Mod-X | English | $$$ | http://www.mod-x.co.uk/main.php |
Hackertest | Hackertest | Hackertest | $$$ | http://www.hackertest.net |
World of Wargame | World of Wargame | English | $$$ | https://wow.sinfocol.org |
Electrica | Caesium | English | $$$ | http://www.caesum.com/game |
Happy Security | Happy Security | German | $$$ | http://www.happy-security.de |
Rankk | Rankk | English | $$$ | http://www.rankk.org |
Newbie Contest | Newbie Contest | French | $$$ | https://www.newbiecontest.org |
Lost Challenge | Lost Challenge | English | $$$ | http://www.lost-chall.org |
Yashira Wargame | Yashira Wargame | Spanish | $$$ | http://www.yashira.org |
Brain Quest | Brain Quest | Slovak | $$$ | http://www.brainquest.sk |
ThisIsLegal | ThisIsLegal | English | $$$ | https://thisislegal.com |
TryThisOne | TryThisOne | English | $$$ | http://trythis0ne.com/ |
TDHack | TDHack | Polish | $$$ | https://www.tdhack.com |
+Ma’s Reversing | +Ma’s Reversing | English | $$$ | http://3564020356.org |
Hacker.org | Hacker.org | English | $$$ | http://www.hacker.org |
HackBBS | HackBBS | French | $$$ | https://hackbbs.org/index.php |
Security Traps | Security Traps | Polish/English | $$$ | https://www.securitytraps.pl |
SPOJ | SPOJ | English | $$$ | http://www.spoj.com |
WebHacking | WebHacking | Korean | $$$ | http://webhacking.kr |
uContest | uContest | English/French | $$$ | http://www.microcontest.com |
Valhalla | Valhalla | English | $$$ | https://halls-of-valhalla.org/ |
SuNiNaTas | SuNiNaTas | Korean | $$$ | http://suninatas.com |
Yoire | Yoire | English | $$$ | http://yoire.com |
Wixxerd | Wixxerd | English | $$$ | https://www.wixxerd.com |
Hacking Challenges | Hacking Challenges | German | $$$ | http://www.hacking-challenges.de |
Red Tiger HackIt | Red Tiger Labs | English | $$$ | https://redtiger.labs.overthewire.org |
Tasteless Challenges | Tasteless | English | $$$ | http://chall.tasteless.eu |
Mod X | Mod X | English | $$$ | http://mod-x.co.uk/main.php |
ae27ff | ae27ff | English | $$$ | http://ae27ff.meme.tips/about.php |
Hacker Gateway | Hacker Gateway | English | $$$ | https://www.hackergateway.com |
Pwnable TW | Pwnable TW | English | $$$ | https://pwnable.tw |
Try To Decrypt | Try To Decrypt | English | $$$ | https://www.trytodecrypt.com |
Web Application Hacking
This section presents resources for Web Application Security.
Vulnerable Machines and Hacking Playground
This section presents resources for resources with network full labs of different aspects of security, such as network, wireless, web, mobile pentesting, reverse engineering, privilege escalation, among others.
Resource Name | Company / Owner | Language | Price | URL |
Hack the Box | Hack the Box | English | $$$ | https://www.hackthebox.eu/ |
Hera Lab | eLearnSecurity | English | $$$ | https://ine.com/pages/cybersecurity |
Vuln Hub | Offensive Security | English | $$$ | https://www.vulnhub.com |
Root the Box | Root the Box | English | $$$ | https://root-the-box.com |
Metasploitable 2 | Rapid7 | English | $$$ | https://docs.rapid7.com/metasploit/metasploitable-2/ |
Metasploitable 3 | Rapid7 | English | $$$ | https://github.com/rapid7/metasploitable3 |
Capture The Flag (CTF) Resources
This section presents resources for Capture The Flag (CTF) challenges.
Resource Name | Company / Owner | Language | Price | URL |
CTFtime (CTF Info Aggregator) | CTFtime | English | $$$ | https://ctftime.org |
CTF365 | CTF365 | English | $$$ | https://ctf365.com |
CTF Learn | CTF Learn | English | $$$ | https://ctflearn.com |
HC’s Capture the Flag | HD | English | $$$ | https://ctf.hcesperer.org |
iCTF | USCB | English | $$$ | https://ictf.cs.ucsb.edu |
PicoCTF | PicoCTF | English | $$$ | https://picoctf.com |
HS CTF | HS CTF | English | $$$ | https://hsctf.com |
Ghost in the Shellcode | ShmooCon | English | $$$ | https://ghostintheshellcode.com |
CSAW CTF | CSAW | English | $$$ | https://ctf.isis.poly.edu |
Defcon CTF | Defcon | English | $$$ | https://legitbs.net |
Next Hacker | Next Hacker | English | $$$ | https://www.nexthacker.com |
Cyber Forensics Challenge | Black T-Shirt | English | $$$ | https://cyberforensicschallenge.com |
I hope you have fun!