[Links] Resources - Wargames and Hacking Challenges
#1
[Links] Resources - Wargams and Hacking Challenges

Here's a handful of links to useful hacking resources, useful if you want to test and improve your skills, yet avoid law enforcement.

Wargames:

http://overthewire.org/wargames/

https://www.pentesterlab.com/

http://www.itsecgames.com/

https://exploit-exercises.com/

http://www.enigmagroup.org/

http://smashthestack.org/

http://3564020356.org/ (Note: Riddle-based and fairly old. Some challenges can be a hassle due to old age)

http://www.hackthissite.org/

http://www.hackertest.net/

http://www.wechall.net

https://www.securityoverride.org/

http://www.vulnhub.com/

https://hackthebox.eu (Send me a PM if you need invite)

https://game.hacker.nz/ (Scada Hackme)

dropzone Wrote:http://pwnable.kr - Came across this pretty recently, all binary stuff at various levels. Pretty solid challenges and more accessible than overthewire or smashthestack.

https://microcorruption.com - This one is pretty cool as it takes place in your browser but you're doing low-level memory attacks. Its targeted at those with little experience in the realm and tough it doesn't exactly hold your hand, its a very nice way to learn about low-level attacks and getting used to working with a debugger.

http://www.bright-shadows.net - All sorts of challenges on here from Javascript and Web exploits to Stegano and Logic problems.

http://hellboundhackers.org - Like hackthissite they have a similar challenge setup.

http://real-forensic.com - This is more on the forensics side of things, but still a useful skill and afaik nothing really like it out there.

- 2020-04-38: Added new section. Credits to /cyb/sec/ community on 4chan/g/

CTFs/Practice Boxes(VMs)/War Games, etc.
NeverendingSecurity has a year long training plan for working through a massive list of practice boxes/wargames/CTFs at his site (link below); though it # is from 2015 & a few of the CTF/Practice Boxes/War Games listed there are gone, his post/plan is rock solid & includes a Mind Map PNG as a visual guide    # (that mind map was attached to my first Twitter post of this updated archive on 6/9/2019.

PLEASE NOTE: The resources from the NeverendingSecurity's post (linked directly below) have already been added to this section's list ("CTFs/Practice    # Boxes (VMs)/War Games, etc.") with as many defunct entries removed as possible.

NeverendingSecurity's Penetration Testing Practice Lab - Vulnerable Apps / Systems https://neverendingsecurity.wordpress.co...ones-tabs/
NeverendingSecurity's Mind Map PNG for the material linked above - https://www.amanhardikar.com/mindmaps/Practice.png

Vulnerable Web Applications:
OWASP BWA: http://code.google.com/p/owaspbwa
OWASP Hackademic: http://hackademic1.teilar.gr
OWASP SiteGenerator: https://www.owasp.org/index.php/Owasp_SiteGenerator
OWASP Bricks: http://sourceforge.net/projects/owaspbricks & http://sechow.com/bricks
OWASP Security Shepherd: https://www.owasp.org/index.php/OWASP_Security_Shepherd
Damn Vulnerable Web App (DVWA): http://www.dvwa.co.uk
Damn Vulnerable Web Services (DVWS): http://dvws.professionallyevil.com
WebGoat.NET: https://github.com/jerryhoff/WebGoat.NET
PentesterLab: https://pentesterlab.com
Butterfly Security Project: http://thebutterflytmp.sourceforge.net
LAMPSecurity: http://sourceforge.net/projects/lampsecurity
Moth: http://www.bonsai-sec.com/en/research/moth.php
WackoPicko: https://github.com/adamdoupe/WackoPicko & http://cs.ucsb.edu/~adoupe/static/black-...va2010.pdf
BadStore: http://www.badstore.net
WebSecurity Dojo: http://www.mavensecurity.com/web_security_dojo
BodgeIt Store: http://code.google.com/p/bodgeit
hackxor: http://hackxor.sourceforge.net/cgi-bin/index.pl
SecuriBench: http://suif.stanford.edu/~livshits/securibench
SQLol: https://github.com/SpiderLabs/SQLol
CryptOMG: https://github.com/SpiderLabs/CryptOMG
XMLmao: https://github.com/SpiderLabs/XMLmao
Exploit KB Vulnerable Web App: http://exploit.co.il/projects/vuln-web-app & http://sourceforge.net/projects/exploitcoilvuln
PHDays iBank CTF: http://blog.phdays.com/2012/05/once-agai...nking.html
GameOver: http://sourceforge.net/projects/null-gameover
Zap WAVE: http://code.google.com/p/zaproxy/downloa...ve-0.1.zip
PuzzleMall: http://code.google.com/p/puzzlemall
VulnApp: http://www.nth-dimension.org.uk/blog.php?id=88
sqli-labs: https://github.com/Audi-1/sqli-labs
bWAPP: http://www.mmeit.be/bwapp & http://sourceforge.net/projects/bwapp/files/bee-box & http://www.itsecgames.com
NOWASP / Mutillidae 2: http://sourceforge.net/projects/mutillidae
SocketToMe: http://digi.ninja/projects/sockettome.php
Project GameOver: http://null.co.in/2012/06/14/gameover-we...g-platform
OWASP Vicnum Project: https://sourceforge.net/projects/vicnum & http://vicnum.ciphertechs.com
Hackademic Challenges: http://www.hackademic.eu


Vulnerable Operating System Installations:
Damn Vulnerable Linux: http://sourceforge.net/projects/virtualh...les/os/dvl & http://www.damnvulnerablelinux.org
Metasploitable: http://sourceforge.net/projects/virtualh...sploitable & https://sourceforge.net/projects/metasploitable
LAMPSecurity: http://sourceforge.net/projects/lampsecurity
UltimateLAMP: http://www.amanhardikar.com/mindmaps/pra...links.html & http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip
heorot: DE-ICE, hackerdemia http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso
DE-ICE, hackerdemia: http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso
DE-ICE, hackerdemia: http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso
DE-ICE, hackerdemia: http://hackingdojo.com/downloads/iso/De-ICE_S2.100.iso
DE-ICE, hackerdemia: http://hackingdojo.com/downloads/iso/De-ICE_S1.123.iso
De-ICE HackerPedia PenTest LiveCDs http://de-ice.net/hackerpedia/index.php/...Test_Disks
pWnOS: http://www.pwnos.com & http://www.krash.in/bond00/pWnOS%20v1.0.zip & http://www.backtrack-linux.org/forums/ba...pwnos.html
Holynix: http://sourceforge.net/projects/holynix/files & http://pynstrom.net/index.php?page=holynix.php
Kioptrix: http://www.kioptrix.com/blog/?page_id=135
exploit-exercises – nebula, protostar, fusion: http://exploit-exercises.com/download
PenTest Laboratory: http://pentestlab.org/lab-in-a-box
RebootUser Vulnix: http://www.rebootuser.com/?page_id=1041
neutronstar: http://neutronstar.org/goatselinux.html
scriptjunkie.us: http://www.scriptjunkie.us/2012/04/the-hacker-games
21LTR: http://21ltr.com/scenes
SecGame # 1 Sauron: http://sg6-labs.blogspot.co.uk/2007/12/s...auron.html
Pentester Lab: https://www.pentesterlab.com/exercises
Vulnserver: http://www.thegreycorner.com/2010/12/int...erver.html
TurnKey Linux: http://www.turnkeylinux.org
Bitnami: https://bitnami.com/stacks
Elastic Server: http://elasticserver.com
CentOS: http://www.centos.org
Katana: http://www.hackfromacave.com/katana.html
Virtual Hacking Lab: http://sourceforge.net/projects/virtualhacking/files
Hacking-Lab: http://www.hacking-lab.com/hl_livecd


Vendor demo Sites to run security testing software against:
Acunetix acuforum: http://testasp.vulnweb.com
Acunetix acublog: http://testaspnet.vulnweb.com
Acunetix acuart: http://testphp.vulnweb.com
Cenzic crackmebank: http://crackme.cenzic.com
HP freebank: http://zero.webappsecurity.com
IBM altoromutual: http://demo.testfire.net
Mavituna testsparker: http://aspnet.testsparker.com
Mavituna testsparker: http://php.testsparker.com
NTOSpider Test Site: http://www.webscantest.com


Sites for Downloading Older Versions of Various Software to Practice Exploiting:
Old Version: http://www.oldversion.com
Old Apps: http://www.oldapps.com
VirtualHacking Repo: http://sourceforge.net/projects/virtualh...0realworld
Huge collection of old/obscure web browsers https://browsers.evolt.org/
The X2 MS-DOS Programming Archive http://ftp.lanet.lv/ftp/mirror/x2ftp/msd...index.html
bbLean old Blackbox Windows 7

Mobile Apps:
ExploitMe Mobile Android Labs: http://securitycompass.github.io/AndroidLabs
ExploitMe Mobile iPhone Labs: http://securitycompass.github.io/iPhoneLabs
OWASP iGoat: http://code.google.com/p/owasp-igoat
OWASP Goatdroid: https://github.com/jackMannino/OWASP-GoatDroid-Project
Damn Vulnerable iOS App (DVIA): http://damnvulnerableiosapp.com
Damn Vulnerable Android App (DVAA): https://code.google.com/p/dvaa
Damn Vulnerable FirefoxOS Application (DVFA): https://github.com/pwnetrationguru/dvfa
NcN Wargame: http://noconname.org/evento/wargame
Hacme Bank Android: http://www.mcafee.com/us/downloads/free-...droid.aspx
InsecureBank: http://www.paladion.net/downloadapp.html

Miscellaneous:
VulnVPN: https://www.vulnhub.com/entry/hacklab-vulnvpn,49/
VulnVoIP: http://www.rebootuser.com/?page_id=1041
NETinVM: http://informatica.uv.es/~carlos/docencia/netinvm
GNS3: http://sourceforge.net/projects/gns-3
XAMPP: https://www.apachefriends.org/index.html

Site with content for attacking VAX: rare, tough machines
Vax/Ultrix-32M http://ftpmirror.your.org/pub/misc/unixarchive/
Reply
#2
you can add www.wechall.net to the list bro, this is also a really good resource for finding wargames.
Reply
#3
(06-10-2015, 02:37 PM)rootaccess Wrote: you can add www.wechall.net to the list bro, this is also a really good resource for finding wargames.

Good idea, updated the thread and added!
Reply
#4
How about https://www.securityoverride.org/? I am on there and have learned a lot from it.
Reply
#5
(06-10-2015, 05:09 PM)Cryptography Wrote: How about https://www.securityoverride.org/? I am on there and have learned a lot from it.

yea i did alot of challenges there aswell, its pretty good.
Reply
#6
I would recommend to add www.vulnhub.com to that list as well
Reply
#7
(06-10-2015, 05:09 PM)Cryptography Wrote: How about https://www.securityoverride.org/? I am on there and have learned a lot from it.
Sounds like a nice idea.

(06-11-2015, 11:22 AM)BillyTheSkid Wrote: I would recommend to add www.vulnhub.com to that list as well

I'll add it now!
Reply
#8
also fix the title man it says Wargams lol
Reply
#9
(06-15-2015, 11:29 AM)rootaccess Wrote: also fix the title man it says Wargams lol

Haha can't believe I missed that part, thanks for letting me know.
Reply
#10
Quote:http://3564020356.org/

Probably worth noting that this one is kinda riddle based at times and its fairly old.

Old isn't always bad but in this case I think the 4th step you eventually get a 16bit binary, most systems now won't even run that now. So some of the challenges are a bit of a hassle to get through because of their age.

And to add a few more to the list:

http://pwnable.kr - Came across this pretty recently, all binary stuff at various levels. Pretty solid challenges and more accessible than overthewire or smashthestack.

https://microcorruption.com - This one is pretty cool as it takes place in your browser but you're doing low-level memory attacks. Its targeted at those with little experience in the realm and tough it doesn't exactly hold your hand, its a very nice way to learn about low-level attacks and getting used to working with a debugger.

http://www.bright-shadows.net - All sorts of challenges on here from Javascript and Web exploits to Stegano and Logic problems.

http://hellboundhackers.org - Like hackthissite they have a similar challenge setup.

http://real-forensic.com - This is more on the forensics side of things, but still a useful skill and afaik nothing really like it out there.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  eLearnsecurity, offensive security and SANS dangcracker 6 5,511 08-09-2020, 01:29 PM
Last Post: show369369
  Security/Hacking Ebook Collection Insider 134 201,154 07-18-2020, 08:20 AM
Last Post: Vice
  DLL Hijacking (Learning resources) Insider 2 714 07-17-2020, 07:12 AM
Last Post: Vice
  Is releasing hacking tools a bad idea? DeepLogic 2 1,221 07-16-2020, 09:16 PM
Last Post: Vector