A comprehensive, categorized collection of cybersecurity labs, vulnerable machines, training platforms, and documentation resources for hands-on practice and skill development.
This repository organizes resources into the following categories for easy navigation:
| Category | Description |
|---|---|
| All Results | Complete list of all resources |
| CTF & Wargames | Capture The Flag platforms and wargame environments |
| Vulnerable Web Apps | Intentionally vulnerable web applications for testing |
| Downloadable VMs & Labs | Virtual machines and standalone lab environments |
| Documentation | Reference materials, guides, and learning resources |
| Free Mentored Training Provider | Guided learning platforms with mentorship |
Full-scale platforms for capture the flag competitions, wargames, and security challenges:
- HackTheBox (Free Tier) - https://www.hackthebox.com
- TryHackMe (Free Tier) - https://tryhackme.com
- OverTheWire - https://overthewire.org
- PicoCTF - https://picoctf.org
- Root-Me.org - https://www.root-me.org
- RingZer0 CTF - https://ringzer0ctf.com
- HackThisSite - https://www.hackthissite.org
- SmashTheStack - http://smashthestack.org
- WeChall - https://www.wechall.net
- NewbieContest - https://www.newbiecontest.org
- W3Challs - https://w3challs.com
- Pentestit.ru - https://lab.pentestit.ru
- CTFlearn - https://ctflearn.com
- Cryptopals - https://cryptopals.com
- Pwnable.kr - https://pwnable.kr
- Pwnable.tw - https://pwnable.tw
- Reversing.kr - http://reversing.kr
- Microcorruption - https://microcorruption.com
- IO - https://io.netgarage.org
- HellBound Hackers - https://www.hellboundhackers.org
- EnigmaGroup - https://www.enigmagroup.org
- DVWA online - https://github.com/digininja/DVWA
- bWAPP online - http://www.itsecgames.com
- Google CTF - https://capturetheflag.withgoogle.com
- Facebook CTF - https://www.facebook.com/careers/life/hackathons
- HSCTF - https://hsctf.com
- NahamCon CTF - https://ctf.nahamcon.com
- CyberDefenders - https://cyberdefenders.org
- BlueTeamLabs Online - https://blueteamlabs.online
Intentionally vulnerable web applications for practicing web security testing:
- OWASP Juice Shop - https://owasp.org/www-project-juice-shop
- DVWA - https://github.com/digininja/DVWA
- bWAPP - http://www.itsecgames.com
- WebGoat - https://owasp.org/www-project-webgoat
- WebGoat.NET - https://github.com/WebGoat/WebGoat.NET
- DVIA - https://github.com/prateek147/DVIA
- InsecureBankv2 - https://github.com/dineshshetty/Android-InsecureBankv2
- Mutillidae II - https://github.com/webpwnized/mutillidae
- Hackademic - https://github.com/Hackademic/hackademic
- WackoPicko - https://github.com/adamdoupe/WackoPicko
- BadStore - https://github.com/bkimminich/BadStore
- Gruyere - https://google-gruyere.appspot.com
- Hackxor - https://hackxor.sourceforge.net
- XVWA - https://github.com/s4n7h0/xvwa
- Security Shepherd - https://owasp.org/www-project-security-shepherd
- Security Ninjas - https://github.com/OWASP/SecurityNinjas
- ZeroBank - https://github.com/OWASP/ZeroBank
- Altoro Mutual - https://demo.testfire.net
- Hackme CTF - https://hack.me
- CryptOMG - https://github.com/cryptOMG/cryptOMG
- Command Injection Lab - https://github.com/cybersecurity-labs/command-injection-lab
- XSS Labs - https://xss-game.appspot.com
- PortSwigger Academy - https://portswigger.net/web-security
- Django.NV - https://github.com/nVisium/django.nv
- RailsGoat - https://github.com/OWASP/railsgoat
- NodeGoat - https://github.com/OWASP/NodeGoat
- Spring Boot Vuln App - https://github.com/hdivsecurity/springboot-vuln-app
- Laravel.VWA - https://github.com/Live-Hack-CVE/Laravel-VWA
- WordPress Lab - https://wordpress.org/plugins
- Joomla Vuln - https://developer.joomla.org/security.html
- Drupal Vuln - https://www.drupal.org/security
- OWASP Broken Web Apps - https://owasp.org/www-project-broken-web-applications
- OWASP WrongSecrets - https://github.com/OWASP/wrongsecrets
- OWASP DevSlop - https://github.com/OWASP/DevSlop
- OWASP iGoat - https://github.com/OWASP/igoat
- OWASP GoatDroid - https://github.com/OWASP/GoatDroid
- OWASP Mobile Top 10 - https://owasp.org/www-project-mobile-top-10
- Vulnerable Flask - https://github.com/iridakos/flask-security
- Vulnerable Express - https://github.com/cr0hn/vulnerable-node
- SSRF Lab - https://portswigger.net/web-security/ssrf
- XXE Lab - https://portswigger.net/web-security/xxe
- Insecure Deserialization - https://portswigger.net/web-security/deserialization
- GraphQL Vuln - https://github.com/dolevf/graphql-security
- WebSocket Vuln - https://portswigger.net/web-security/websockets
- JWT Vuln - https://jwt.io/introduction
- OAuth Vuln - https://portswigger.net/web-security/oauth
- SAML Vuln - https://portswigger.net/web-security/saml
Virtual machines and complete lab environments for offline practice:
- Metasploitable 1 - https://sourceforge.net/projects/metasploitable
- Metasploitable 2 - https://sourceforge.net/projects/metasploitable
- Metasploitable 3 - https://github.com/rapid7/metasploitable3
- VulnHub - https://www.vulnhub.com
- Kioptrix - https://www.vulnhub.com/series/kioptrix,8
- FristiLeaks - https://www.vulnhub.com/entry/fristileaks-13,133
- Stapler - https://www.vulnhub.com/entry/stapler-1,150
- Mr-Robot - https://www.vulnhub.com/entry/mr-robot-1,151
- Brainpan - https://www.vulnhub.com/entry/brainpan-1,51
- Lord of the Root - https://www.vulnhub.com/series/lord-of-the-root,66
- Tr0ll - https://www.vulnhub.com/series/tr0ll,45
- PwnLab - https://www.vulnhub.com/entry/pwnlab-init,158
- SkyTower - https://www.vulnhub.com/entry/skytower-1,96
- IMF - https://www.vulnhub.com/entry/imf-1,162
- Breakout - https://www.vulnhub.com/entry/breakout-1,190
- Zico2 - https://www.vulnhub.com/entry/zico2-1,210
- DevRandom - https://www.vulnhub.com/entry/devrandom-1,211
- Misdirection - https://www.vulnhub.com/entry/misdirection-1,227
- HackFest2016 - https://www.vulnhub.com/entry/hackfest2016,190
- WinterMute - https://www.vulnhub.com/entry/wintermute-1,239
- Nebula - https://exploit.education/nebula
- Protostar - https://exploit.education/protostar
- Fusion - https://exploit.education/fusion
- Phoenix - https://exploit.education/phoenix
- CengBox - https://github.com/CengBox
- PwnOS - https://www.vulnhub.com/series/pwnos,25
- Lamphy - https://www.vulnhub.com/entry/lamphy,215
- Born2Root - https://www.vulnhub.com/entry/born2root-1,197
- HA: Narak - https://www.vulnhub.com/entry/ha-narak,434
- Bug Report Learning - https://hackerone.com/hacktivity
- Your Own Lab - https://github.com/infosecn1nja/Red-Teaming-Toolkit
Comprehensive documentation, guides, and reference materials:
- OWASP Official Documentation - https://owasp.org/www-project-top-ten/
- OWASP WebGoat - https://owasp.org/www-project-webgoat/
- GitHub Security Lab - https://securitylab.github.com/
- GitHub Advisory Database - https://github.com/advisories
- PortSwigger Web Security Academy - https://portswigger.net/web-security
- Hacksplaining - https://www.hacksplaining.com/
- SANS Reading Room - https://www.sans.org/white-papers/
- MITRE ATT&CK - https://attack.mitre.org/
- NIST Cybersecurity Framework - https://www.nist.gov/cyberframework
- AWS Security Documentation - https://docs.aws.amazon.com/security/
- Azure Security Documentation - https://learn.microsoft.com/en-us/security/
- Google Cloud Security - https://cloud.google.com/security
- EC-Council Resources - https://www.eccouncil.org/resources/
- INE Cybersecurity Training - https://ine.com/learning/cybersecurity
- Cisco Security Learning - https://www.cisco.com/site/us/en/learn/training-certifications/security.html
- Microsoft Learn Security - https://learn.microsoft.com/en-us/training/browse/?products=security
- VirusTotal - https://www.virustotal.com/
- ANY.RUN Interactive Malware Analysis - https://any.run/
- Hybrid Analysis - https://www.hybrid-analysis.com/
- TraceLabs OSINT - https://www.tracelabs.org/
- GRFICS OSINT Framework - https://grfics.github.io/
- K8s Goat - https://github.com/madhuakula/kubernetes-goat
- CloudGoat - https://github.com/RhinoSecurityLabs/cloudgoat
- Flaws.cloud - http://flaws.cloud/
- DetectionLab - https://github.com/clong/DetectionLab
- Secure Code Game - https://github.com/skills/secure-code-game
- Hack.me - https://hack.me/
- Hacking-Lab - https://www.hacking-lab.com/
- CTFtime - https://ctftime.org/
- Awesome-CTF - https://github.com/apsdehal/awesome-ctf
- SecurityTube - https://www.securitytube.net/
- InfoSec Institute - https://www.infosecinstitute.com/
- Docker Hub - https://hub.docker.com/
- Proxmox Documentation - https://www.proxmox.com/en/proxmox-ve
- GNS3 - https://www.gns3.com/
- RangeForce - https://www.rangeforce.com/
- LetsDefend - https://letsdefend.io/
- SecureFlag - https://www.secureflag.com/
- Bugcrowd University - https://www.bugcrowd.com/hackers/bugcrowd-university/
- HackerOne Hacktivity - https://hackerone.com/hacktivity
- Intigriti Hackademy - https://www.intigriti.com/hackademy
- HackToLive Academy - https://hacktolive.net/
- Offensive Security Platform - https://offsecplatform.com
Platforms offering guided learning with mentorship:
- HackToLive - https://hacktolive.net
- Virtualization software (VirtualBox, VMware, etc.)
- Basic networking knowledge
- Understanding of operating systems (Linux/Windows)
- Programming fundamentals (helpful but not required)
- Start with OverTheWire or PicoCTF for absolute beginners
- Move to TryHackMe or HackTheBox Free Tier for guided learning
- Practice on VulnHub VMs like Kioptrix or Metasploitable
- Explore Vulnerable Web Apps like DVWA or OWASP Juice Shop
- Use Documentation resources to deepen understanding
Stay curious, stay ethical, and happy hacking!