🌱 Beginner

Vulnerable Virtual Machines

Downloadable vulnerable VMs to practice exploitation techniques locally. Perfect for offline learning and building foundational skills.

Getting Started

Use VirtualBox or VMware to run these VMs. Set network to Host-Only or NAT to isolate from your main network. Never connect vulnerable VMs to the internet.

Web Application Practice

DVWA

Beginner

Damn Vulnerable Web Application - PHP/MySQL app with multiple security levels.

  • ✓ SQL Injection
  • ✓ XSS (Reflected, Stored, DOM)
  • ✓ Command Injection
  • ✓ File Upload
  • ✓ CSRF
  • ✓ Brute Force
bash 
docker run --rm -it -p 80:80 vulnerables/web-dvwa
GitHub →

bWAPP

Beginner

Buggy Web Application - Over 100 web vulnerabilities to exploit.

  • ✓ OWASP Top 10 coverage
  • ✓ 100+ vulnerabilities
  • ✓ API Security issues
  • ✓ XML/XXE attacks
bash 
docker run -d -p 80:80 raesene/bwapp
itsecgames.com →

OWASP WebGoat

Intermediate

Java-based vulnerable app with guided lessons for each vulnerability type.

  • ✓ Guided lessons
  • ✓ Modern vulnerabilities
  • ✓ JWT attacks
  • ✓ Client-side security
bash 
docker run -p 8080:8080 -p 9090:9090 webgoat/webgoat
OWASP WebGoat →

OWASP Juice Shop

Intermediate

Modern Node.js app with 100+ challenges covering OWASP Top 10 and beyond.

  • ✓ CTF-style challenges
  • ✓ Score tracking
  • ✓ Modern tech stack
  • ✓ API + SPA vulnerabilities
bash 
docker run --rm -p 3000:3000 bkimminich/juice-shop
OWASP Juice Shop →

Network & System Exploitation

Metasploitable 2

Beginner

Classic vulnerable Linux VM for learning Metasploit and basic exploitation.

  • ✓ Vulnerable services
  • ✓ Weak configurations
  • ✓ Metasploit modules
  • ✓ Privilege escalation
Download from SourceForge →

Metasploitable 3

Intermediate

Windows & Linux VMs with more modern vulnerabilities and flags to find.

  • ✓ Windows Server 2008
  • ✓ Ubuntu 14.04
  • ✓ CTF-style flags
  • ✓ Vagrant provisioning
GitHub →

VulnHub VMs

Various

Hundreds of community-created vulnerable VMs, many with walkthroughs available.

  • ✓ Kioptrix series (beginner)
  • ✓ Mr. Robot (intermediate)
  • ✓ Stapler (intermediate)
  • ✓ Brainpan series (advanced)
vulnhub.com →

HackTheBox Retired

Various

Download retired HTB machines for offline practice (VIP subscription).

  • ✓ Real-world scenarios
  • ✓ Official walkthroughs
  • ✓ Windows & Linux
  • ✓ Various difficulties
hackthebox.com →

Quick Setup Script

Launch multiple vulnerable apps using Docker Compose:

yaml 
# docker-compose.yml for vulnerable lab
version: '3'
services:
  dvwa:
    image: vulnerables/web-dvwa
    ports:
      - "8081:80"
    
  juice-shop:
    image: bkimminich/juice-shop
    ports:
      - "3000:3000"
    
  webgoat:
    image: webgoat/webgoat
    ports:
      - "8080:8080"
      - "9090:9090"
    
  bwapp:
    image: raesene/bwapp
    ports:
      - "8082:80"

# Run with: docker-compose up -d

Related Topics

Kali Linux Setup

Configure your attack machine

Active Directory Lab

Build a Windows domain for testing

Web Pentest Guide

Learn web exploitation techniques

Burp Suite Cheatsheet

Web proxy reference