[Links] Resources - Wargames and Hacking Challenges
#1
[Links] Resources - Wargams and Hacking Challenges

Here's a handful of links to useful hacking resources, useful if you want to test and improve your skills, yet avoid law enforcement.

Wargames:

http://overthewire.org/wargames/

https://www.pentesterlab.com/

http://www.itsecgames.com/

https://exploit-exercises.com/

http://www.enigmagroup.org/

http://smashthestack.org/

http://3564020356.org/ (Note: Riddle-based and fairly old. Some challenges can be a hassle due to old age)

http://www.hackthissite.org/

http://www.hackertest.net/

http://www.wechall.net

https://www.securityoverride.org/

http://www.vulnhub.com/

https://hackthebox.eu (Send me a PM if you need invite)

https://game.hacker.nz/ (Scada Hackme)

dropzone Wrote:http://pwnable.kr - Came across this pretty recently, all binary stuff at various levels. Pretty solid challenges and more accessible than overthewire or smashthestack.

https://microcorruption.com - This one is pretty cool as it takes place in your browser but you're doing low-level memory attacks. Its targeted at those with little experience in the realm and tough it doesn't exactly hold your hand, its a very nice way to learn about low-level attacks and getting used to working with a debugger.

http://www.bright-shadows.net - All sorts of challenges on here from Javascript and Web exploits to Stegano and Logic problems.

http://hellboundhackers.org - Like hackthissite they have a similar challenge setup.

http://real-forensic.com - This is more on the forensics side of things, but still a useful skill and afaik nothing really like it out there.

- 2020-04-38: Added new section. Credits to /cyb/sec/ community on 4chan/g/

CTFs/Practice Boxes(VMs)/War Games, etc.
NeverendingSecurity has a year long training plan for working through a massive list of practice boxes/wargames/CTFs at his site (link below); though it # is from 2015 & a few of the CTF/Practice Boxes/War Games listed there are gone, his post/plan is rock solid & includes a Mind Map PNG as a visual guide    # (that mind map was attached to my first Twitter post of this updated archive on 6/9/2019.

PLEASE NOTE: The resources from the NeverendingSecurity's post (linked directly below) have already been added to this section's list ("CTFs/Practice    # Boxes (VMs)/War Games, etc.") with as many defunct entries removed as possible.

NeverendingSecurity's Penetration Testing Practice Lab - Vulnerable Apps / Systems https://neverendingsecurity.wordpress.co...ones-tabs/
NeverendingSecurity's Mind Map PNG for the material linked above - https://www.amanhardikar.com/mindmaps/Practice.png

Vulnerable Web Applications:
OWASP BWA: http://code.google.com/p/owaspbwa
OWASP Hackademic: http://hackademic1.teilar.gr
OWASP SiteGenerator: https://www.owasp.org/index.php/Owasp_SiteGenerator
OWASP Bricks: http://sourceforge.net/projects/owaspbricks & http://sechow.com/bricks
OWASP Security Shepherd: https://www.owasp.org/index.php/OWASP_Security_Shepherd
Damn Vulnerable Web App (DVWA): http://www.dvwa.co.uk
Damn Vulnerable Web Services (DVWS): http://dvws.professionallyevil.com
WebGoat.NET: https://github.com/jerryhoff/WebGoat.NET
PentesterLab: https://pentesterlab.com
Butterfly Security Project: http://thebutterflytmp.sourceforge.net
LAMPSecurity: http://sourceforge.net/projects/lampsecurity
Moth: http://www.bonsai-sec.com/en/research/moth.php
WackoPicko: https://github.com/adamdoupe/WackoPicko & http://cs.ucsb.edu/~adoupe/static/black-...va2010.pdf
BadStore: http://www.badstore.net
WebSecurity Dojo: http://www.mavensecurity.com/web_security_dojo
BodgeIt Store: http://code.google.com/p/bodgeit
hackxor: http://hackxor.sourceforge.net/cgi-bin/index.pl
SecuriBench: http://suif.stanford.edu/~livshits/securibench
SQLol: https://github.com/SpiderLabs/SQLol
CryptOMG: https://github.com/SpiderLabs/CryptOMG
XMLmao: https://github.com/SpiderLabs/XMLmao
Exploit KB Vulnerable Web App: http://exploit.co.il/projects/vuln-web-app & http://sourceforge.net/projects/exploitcoilvuln
PHDays iBank CTF: http://blog.phdays.com/2012/05/once-agai...nking.html
GameOver: http://sourceforge.net/projects/null-gameover
Zap WAVE: http://code.google.com/p/zaproxy/downloa...ve-0.1.zip
PuzzleMall: http://code.google.com/p/puzzlemall
VulnApp: http://www.nth-dimension.org.uk/blog.php?id=88
sqli-labs: https://github.com/Audi-1/sqli-labs
bWAPP: http://www.mmeit.be/bwapp & http://sourceforge.net/projects/bwapp/files/bee-box & http://www.itsecgames.com
NOWASP / Mutillidae 2: http://sourceforge.net/projects/mutillidae
SocketToMe: http://digi.ninja/projects/sockettome.php
Project GameOver: http://null.co.in/2012/06/14/gameover-we...g-platform
OWASP Vicnum Project: https://sourceforge.net/projects/vicnum & http://vicnum.ciphertechs.com
Hackademic Challenges: http://www.hackademic.eu


Vulnerable Operating System Installations:
Damn Vulnerable Linux: http://sourceforge.net/projects/virtualh...les/os/dvl & http://www.damnvulnerablelinux.org
Metasploitable: http://sourceforge.net/projects/virtualh...sploitable & https://sourceforge.net/projects/metasploitable
LAMPSecurity: http://sourceforge.net/projects/lampsecurity
UltimateLAMP: http://www.amanhardikar.com/mindmaps/pra...links.html & http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip
heorot: DE-ICE, hackerdemia http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso
DE-ICE, hackerdemia: http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso
DE-ICE, hackerdemia: http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso
DE-ICE, hackerdemia: http://hackingdojo.com/downloads/iso/De-ICE_S2.100.iso
DE-ICE, hackerdemia: http://hackingdojo.com/downloads/iso/De-ICE_S1.123.iso
De-ICE HackerPedia PenTest LiveCDs http://de-ice.net/hackerpedia/index.php/...Test_Disks
pWnOS: http://www.pwnos.com & http://www.krash.in/bond00/pWnOS%20v1.0.zip & http://www.backtrack-linux.org/forums/ba...pwnos.html
Holynix: http://sourceforge.net/projects/holynix/files & http://pynstrom.net/index.php?page=holynix.php
Kioptrix: http://www.kioptrix.com/blog/?page_id=135
exploit-exercises – nebula, protostar, fusion: http://exploit-exercises.com/download
PenTest Laboratory: http://pentestlab.org/lab-in-a-box
RebootUser Vulnix: http://www.rebootuser.com/?page_id=1041
neutronstar: http://neutronstar.org/goatselinux.html
scriptjunkie.us: http://www.scriptjunkie.us/2012/04/the-hacker-games
21LTR: http://21ltr.com/scenes
SecGame # 1 Sauron: http://sg6-labs.blogspot.co.uk/2007/12/s...auron.html
Pentester Lab: https://www.pentesterlab.com/exercises
Vulnserver: http://www.thegreycorner.com/2010/12/int...erver.html
TurnKey Linux: http://www.turnkeylinux.org
Bitnami: https://bitnami.com/stacks
Elastic Server: http://elasticserver.com
CentOS: http://www.centos.org
Katana: http://www.hackfromacave.com/katana.html
Virtual Hacking Lab: http://sourceforge.net/projects/virtualhacking/files
Hacking-Lab: http://www.hacking-lab.com/hl_livecd


Vendor demo Sites to run security testing software against:
Acunetix acuforum: http://testasp.vulnweb.com
Acunetix acublog: http://testaspnet.vulnweb.com
Acunetix acuart: http://testphp.vulnweb.com
Cenzic crackmebank: http://crackme.cenzic.com
HP freebank: http://zero.webappsecurity.com
IBM altoromutual: http://demo.testfire.net
Mavituna testsparker: http://aspnet.testsparker.com
Mavituna testsparker: http://php.testsparker.com
NTOSpider Test Site: http://www.webscantest.com


Sites for Downloading Older Versions of Various Software to Practice Exploiting:
Old Version: http://www.oldversion.com
Old Apps: http://www.oldapps.com
VirtualHacking Repo: http://sourceforge.net/projects/virtualh...0realworld
Huge collection of old/obscure web browsers https://browsers.evolt.org/
The X2 MS-DOS Programming Archive http://ftp.lanet.lv/ftp/mirror/x2ftp/msd...index.html
bbLean old Blackbox Windows 7

Mobile Apps:
ExploitMe Mobile Android Labs: http://securitycompass.github.io/AndroidLabs
ExploitMe Mobile iPhone Labs: http://securitycompass.github.io/iPhoneLabs
OWASP iGoat: http://code.google.com/p/owasp-igoat
OWASP Goatdroid: https://github.com/jackMannino/OWASP-GoatDroid-Project
Damn Vulnerable iOS App (DVIA): http://damnvulnerableiosapp.com
Damn Vulnerable Android App (DVAA): https://code.google.com/p/dvaa
Damn Vulnerable FirefoxOS Application (DVFA): https://github.com/pwnetrationguru/dvfa
NcN Wargame: http://noconname.org/evento/wargame
Hacme Bank Android: http://www.mcafee.com/us/downloads/free-...droid.aspx
InsecureBank: http://www.paladion.net/downloadapp.html

Miscellaneous:
VulnVPN: https://www.vulnhub.com/entry/hacklab-vulnvpn,49/
VulnVoIP: http://www.rebootuser.com/?page_id=1041
NETinVM: http://informatica.uv.es/~carlos/docencia/netinvm
GNS3: http://sourceforge.net/projects/gns-3
XAMPP: https://www.apachefriends.org/index.html

Site with content for attacking VAX: rare, tough machines
Vax/Ultrix-32M http://ftpmirror.your.org/pub/misc/unixarchive/

Update 2022:

Machines that are vulnerable by design
Machines that are vulnerable by design for training purposes.

Web Applications

Web Application: https://github.com/ethicalhack3r/DVWA

Web Applications: https://github.com/s4n7h0/xvwa

Word Press: https://github.com/vianasw/dvwps

Node JS: https://github.com/appsecco/dvna

Web Sockets: https://hub.docker.com/r/tssoffsec/dvws/

Python: https://github.com/anxolerd/dvpwa

Multiple vulnerable webapps: https://www.vulnhub.com/entry/lab26-11%2C190/

OWASP Juice Shop: https://github.com/bkimminich/juice-shop

Ruby: https://github.com/cktricky/railsgoat

Lesser Known Web Attack Lab: https://github.com/weev3/LKWA

over 50+ examples of vulnerabilities and guides for specific attacks: https://github.com/blabla1337/skf-labs
Web Service Applications

Web Service: https://github.com/snoopysecurity/dvws

API: https://github.com/payatu/Tiredful-API/

API: https://github.com/OWASP/crAPI

websheep - API: https://github.com/marmicode/websheep

SSO: https://github.com/0xbharath/vulnerable-sso

Hadoop: https://github.com/wavestone-cdt/hadoop-...nvironment

GraphQL: https://github.com/david3107/graphql-security-labs

Source Code

Source Code: https://github.com/h4x0r101/Damn-Vulnerable-Source-Code

Damn Vulnerable C Program : https://github.com/hardik05/Damn_Vulnerable_C_Program
Thick Client

Thick Client Application: https://github.com/secvulture/dvta

Java EE: https://github.com/appsecco/dvja

NetSPI BetaFast: https://github.com/NetSPI/BetaFast

Mobile Application

iOS Swift: https://github.com/prateek147/DVIA-v2

iOS: https://github.com/prateek147/DVIA

Android: https://github.com/payatu/diva-android

Android: https://hakin9.org/evabs-extremely-vulne...roid-labs/

Hybrid Mobile Application: https://github.com/logicalhacking/DVHMA

iOS CTF: https://ivrodriguez.com/mobile-ctf/

iOS iGoat: https://github.com/OWASP/igoat
Crypto & Block Chain

Crypto Wallet : https://gitlab.com/badbounty/dvcw

Wallet : https://github.com/genecyber/Damn-Vulnerable-Wallet-App

Block Chain : https://github.com/subashsn/dvba

Cryptoomg: https://github.com/SpiderLabs/CryptOMG/b...README.txt
OS Related

Linux : https://www.vulnhub.com/series/damn-vuln...nux-dvl,1/

Linux PrivEsc : https://in.security/lin-security-practis...ation-foo/

Windows : https://sourceforge.net/projects/dawn-vu...y-windows/

Device Driver : https://github.com/pwk4m1/Damn_Vulnerable_Device_Driver

Breakout: https://github.com/FuzzySecurity/DefCon24
Memory

MemLabs: https://github.com/stuxnet999/MemLabs/bl.../README.md
Cloud Infrastructure

Cloud Application: https://github.com/m6a-UdS/dvca

Cloud App (AWS): https://github.com/RhinoSecurityLabs/cloudgoat

Function-as-a-service (AWS Lambda): https://github.com/we45/DVFaaS-Damn-Vuln...-a-Service

Serverless Application: https://github.com/OWASP/DVSA

Kubernetes: https://www.bustakube.com/

Kubernetes Goat: https://github.com/madhuakula/kubernetes-goat

CloudGoat 2 (AWS): https://github.com/RhinoSecurityLabs/cloudgoat

GCP Goat: https://gcpgoat.joshuajebaraj.com/about.html
IoT and Hardware

IoT: https://github.com/Vulcainreo/DVID

Router: https://github.com/praetorian-code/DVRF

Safe: https://insinuator.net/2016/01/damn-vulnerable-safe/

ICS: https://github.com/ITI/ICS-Security-Tool...simulation

SCADA: https://www.slideshare.net/phdays/damn-v...al-process

PI: https://whitedome.com.au/re4son/sticky-fingers-dv-pi/

PI2: http://raspwn.org/

SS7 Network: https://www.blackhat.com/asia-17/arsenal...s7-network

VoIP: https://www.vulnhub.com/entry/hacklab-vulnvoip,40/

WiFi: https://github.com/sensepost/shinai-fi

WiFi2: http://solstice.sh/workshops/advanced-wireless-attacks/

Bluetoothh: https://github.com/hackgnar/ble_ctf/blob.../README.md

Cracking passwords

in.security: https://in.security/password-cracking-ctf/

Other

https://www.amanhardikar.com/mindmaps/Practice.html

https://github.com/WazeHell/vulnerable-AD

More

Juice Shop
https://owasp.org/www-project-juice-shop/
https://github.com/bkimminich/juice-shop
https://bkimminich.gitbooks.io/pwning-ow...p/content/

Damn Vulnerable Bank
https://rewanthtammana.com/damn-vulnerab...index.html


API Hacking Exercises

Let's build an API to hack - Part 1: The basics
https://hackxpert.com/blog/API-Hacking-E...46b7e.html

Let's build an API to hack - Part 2: Faking it before breaking it
https://hackxpert.com/blog/API-Hacking-E...c473d.html

Let's build an API to hack - Part 3: Information disclosure
https://hackxpert.com/blog/API-Hacking-E...41449.html

Let's build an API to hack - Part 4: Business logic flaw
https://hackxpert.com/blog/API-Hacking-E...7772a.html

Let's build an API to hack - Part 5: Emulating wonky login systems to get broken authentication issues and injection flaws
https://hackxpert.com/blog/API-Hacking-E...5ecdb.html

API roulette - Name the issues
https://hackxpert.com/blog/API-Hacking-E...2b1f0.html
Reply
#2
you can add www.wechall.net to the list bro, this is also a really good resource for finding wargames.
Reply
#3
(06-10-2015, 02:37 PM)rootaccess Wrote: you can add www.wechall.net to the list bro, this is also a really good resource for finding wargames.

Good idea, updated the thread and added!
Reply
#4
How about https://www.securityoverride.org/? I am on there and have learned a lot from it.
Reply
#5
(06-10-2015, 05:09 PM)Cryptography Wrote: How about https://www.securityoverride.org/? I am on there and have learned a lot from it.

yea i did alot of challenges there aswell, its pretty good.
Reply
#6
I would recommend to add www.vulnhub.com to that list as well
Reply
#7
(06-10-2015, 05:09 PM)Cryptography Wrote: How about https://www.securityoverride.org/? I am on there and have learned a lot from it.
Sounds like a nice idea.

(06-11-2015, 11:22 AM)BillyTheSkid Wrote: I would recommend to add www.vulnhub.com to that list as well

I'll add it now!
Reply
#8
also fix the title man it says Wargams lol
Reply
#9
(06-15-2015, 11:29 AM)rootaccess Wrote: also fix the title man it says Wargams lol

Haha can't believe I missed that part, thanks for letting me know.
Reply
#10
Quote:http://3564020356.org/

Probably worth noting that this one is kinda riddle based at times and its fairly old.

Old isn't always bad but in this case I think the 4th step you eventually get a 16bit binary, most systems now won't even run that now. So some of the challenges are a bit of a hassle to get through because of their age.

And to add a few more to the list:

http://pwnable.kr - Came across this pretty recently, all binary stuff at various levels. Pretty solid challenges and more accessible than overthewire or smashthestack.

https://microcorruption.com - This one is pretty cool as it takes place in your browser but you're doing low-level memory attacks. Its targeted at those with little experience in the realm and tough it doesn't exactly hold your hand, its a very nice way to learn about low-level attacks and getting used to working with a debugger.

http://www.bright-shadows.net - All sorts of challenges on here from Javascript and Web exploits to Stegano and Logic problems.

http://hellboundhackers.org - Like hackthissite they have a similar challenge setup.

http://real-forensic.com - This is more on the forensics side of things, but still a useful skill and afaik nothing really like it out there.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Security/Hacking Ebook Collection Insider 310 577,936 27 minutes ago
Last Post: aileenzn16
  Guide to General Hacking NO-OP 181 131,828 3 hours ago
Last Post: letarn2
  CMV : Hacking = Glorified QA . Ayumi_Nkm 0 3,159 04-22-2022, 07:37 AM
Last Post: Ayumi_Nkm
  I need resources , leads and links. Ayumi_Nkm 0 2,835 03-07-2022, 05:38 AM
Last Post: Ayumi_Nkm