If you are a member of the “learn by doing” crowd, then these resources can help you practice hacking with a hands-on approach.
If you want to practice hacking, then you want to make sure you do it legally. The best way to do this is one of the many ethical hacking websites. From VulnHub to Hack the Box, and everything in between! You can learn penetration testing from the comfort of your own home.
Table of Contents
- Practice Hacking – Introduction
- Hacker101 – Training From HackerOne?!
- Try Hack Me – A FUN Way to Learn Cyber Security from Scratch
- VulnHub – the BEST Ethical Hacking Practice?
- Hack the Box – Free and Competitive Pentest Practice
- Exploit Exercises – Defunct Hacking Websites
- DIY – Learn Hacking on Your Own Terms
- Practice Hacking – Conclusion
Practice Hacking – Introduction
Hacking to learn and learning to hack is fun, but you want to make sure that you do it legally!
Other than capture the flag events, vulnerable machines or labs are a great way to learn some ethical hacking tools and techniques.
That said, there are a few more directed approaches, so hopefully, I can cover them here.
Hacker101 – Training From HackerOne?!
This looks to be a free web security class that includes video lessons, guides, and resources.
I’m guessing that it is HEAVILY geared towards web application testing and bug bounty programs, but that is still awesome.
It also includes a 24/7 CTF competition, so I had to include it here!
If you’ve used this platform before, or think I should try it out, then let me know.
TryHackMe – A FUN Way to Learn Cyber Security from Scratch
While I haven’t played on TryHackMe a ton, it’s a really great platform.
The nice thing about Try Hack Me is that it has smaller lessons and challenges.
I want to play on their platform a bit more, but let me know if you have any suggested challenges/competition!
There is a subscription-based model, but you can still play the challenges for free.
For now, I’ll provide you with some write-ups until I have my own.
Try Hack Me Write-Ups
VulnHub – the BEST Ethical Hacking Practice?
Practice Hacking – What is VulnHub?
If you are not familiar, VulnHub is a large repository of vulnerable machines and targets available for download.
Its goal is to provide materials so that anyone can gain hands-on experience with security and administration.
For more information, check out their about page.
Free Vulnerable Machines to Learn Ethical Hacking
While VulnHub isn’t the simplest way to learn ethical hacking, it is still one of my favorites.
You pick a random virtual machine that sounds interesting, download it, and get to work.
I’m hoping to work on some guides to make this process easier, but most of my walkthroughs cover it.
That said, if you aren’t familiar with networking and virtualization, this might not be the best first step for you.
VulnHub CTF Write-Ups
Honestly, I’ve spent so much time on VulnHub, these posts will be the majority of my content.
If you see any issues with these write-ups, or want to see more, then let me know.
- Tr0ll: 1 Walkthrough – TROLL, IN THE OS!
- Tr0ll: 2 Walkthrough – You Gotta Pay the Troll Toll
- Kioptrix Level 1 (#1) Walkthrough
- Kioptrix Level 1.1 (#2) Walkthrough
- Kioptrix Level 1.2 (#3) Walkthrough
- Kioptrix Level 1.3 (#4) Walkthrough
- Kioptrix 2014 (#5) Walkthrough
- SecOS 1 Walkthrough
- Pegasus Walkthrough – A Magnificent Horse, With the Brain of a Bird
- Knock-Knock: 1.1 Walkthrough
- Brainpan: 1 Walkthrough
- Brainpan 2 – Trolling, Headaches, and a fun Challenge!
- Casino Royale VulnHub Walkthrough – Bond, James Bond
- VulnHub Photographer Walkthrough – PHP FTW!
- VulnHub Funbox 1 Walkthrough – Rbash Escape
- VulnHub Sunset Decoy Walkthrough – Cracking with John
- VulnHub CyberSploit 2 Walkthrough – Docker Privilege Escalation
- VulnHub Sunset Midnight Walkthrough
- VulnHub Investigator Walkthrough – Phone Hacking?
- VulnHub Relevant Walkthrough – More WordPress Exploitation
- VulnHub InfoSec Prep OSCP Walkthrough – Stealing SSH Keys
Hack the Box – Free and Competitive Pentest Practice
If you want something more inclusive or easier, then maybe HTB is for you.
The de-facto standard for vulnerable machine platforms is Hack the Box, and for good reason. You can attack multiple different machines, view write-ups, and compare your score to others around the world.
I’ve only finished two boxes on this site myself, but they were a ton of fun.
The nice thing about HTB is that you can also see solutions for retired boxes, so you can learn by following along.
As far as the paid services go, they have a few options.
HackTheBox provides a VIP subscription as well as various Pro Labs.
The VIP subscription provides access to VIP retired machines, retired challenges, Pwnbox, official write-ups, VIP servers, CPE credits, and more advanced search functionality.
The various HTB Pro Labs are subscription-based access to more advanced courses, effectively an internal certification course.
While I don’t have a paid HTB subscription yet, I may go for one to try and climb that leaderboard soon!
Practice Hacking – HackTheBox Write-Ups
Like I said before, I only have two write-ups for HTB, but they were still really enjoyable.
Exploit Exercises – Defunct Hacking Websites
I wanted to include more about Exploit Exercises, but it appears that the domain was bought out by some link spammers.
This was a fun site that focused a bit more heavily on binary exploitation.
I was only able to finish one write-up, but I’ll include it as an almost post-mortem.
DIY – Learn Hacking on Your Own Terms
If I had to guess, this is the category that I will be spending the most time on going forward.
Not only do you have more control in setting up your own practice environments, but it also helps with my CTF development.
For now, I only have one real post in this category, but I’m hoping for more soon.
While I have nothing major to announce yet, stay tuned for a tool release in 2022 to this easier!
Practice Hacking – Conclusion
I know that there aren’t as many resources on this page as my CTF post, but it will get there.
There are so many more hacking practice websites, but I haven’t had the opportunity to try most of them.
If there’s anything important that I’ve left out, then let me know!
In the meantime, please feel free to write up some challenges and post them here, so that I can get some free content.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.