Last reviewed

Beginner

Vulnerable Virtual Machines

Downloadable vulnerable VMs to practice exploitation techniques locally. Perfect for offline learning and building foundational skills.

Getting Started

Use VirtualBox or VMware to run these VMs. Set network to Host-Only or NAT to isolate from your main network. Never connect vulnerable VMs to the internet.

Image Freshness And Integrity

Prefer current official downloads, verify checksums when provided, and snapshot before first boot. If a VM is unmaintained or ships an end-of-life operating system, keep it host-only and use it only for legacy technique practice.

Lab Runbook

Use this page as a controlled lab build, not a production hardening guide. Validate isolation before running exercises and write down the cleanup command before starting.

Medium risk Beginner 30-90 min

Plan

4-12 GB; 40-120 GB. Free. Isolation: Host-only or internal network; never bridged to home LAN.

Build

  • - Target inventory
  • - Known IP plan
  • - Connectivity from Kali

Validate

  • - Kali and target share only the lab network
  • - Nmap sees expected services
  • - Snapshots exist before exploitation

Exercise

Run only the exercises tied to this lab and save screenshots, command output, logs, and timestamps outside disposable VMs.

Clean Up

  • - Revert target snapshots after compromise
  • - Delete stale OVAs from downloads
  • - Document any custom target changes

Web Application Practice

DVWA

Beginner

Damn Vulnerable Web Application - PHP/MySQL app with multiple security levels.

  • ✓ SQL Injection
  • ✓ XSS (Reflected, Stored, DOM)
  • ✓ Command Injection
  • ✓ File Upload
  • ✓ CSRF
  • ✓ Brute Force
bash 
docker run --rm -it -p 127.0.0.1:8081:80 vulnerables/web-dvwa
docker run --rm -it -p 127.0.0.1:8081:80 vulnerables/web-dvwa
GitHub →

bWAPP

Beginner

Buggy Web Application - Over 100 web vulnerabilities to exploit.

  • ✓ OWASP Top 10 coverage
  • ✓ 100+ vulnerabilities
  • ✓ API Security issues
  • ✓ XML/XXE attacks
bash 
docker run -d -p 127.0.0.1:8082:80 raesene/bwapp
docker run -d -p 127.0.0.1:8082:80 raesene/bwapp
itsecgames.com →

OWASP WebGoat

Intermediate

Java-based vulnerable app with guided lessons for each vulnerability type.

  • ✓ Guided lessons
  • ✓ Modern vulnerabilities
  • ✓ JWT attacks
  • ✓ Client-side security
bash 
docker run -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat
docker run -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat
OWASP WebGoat →

OWASP Juice Shop

Intermediate

Modern Node.js app with 100+ challenges covering OWASP Top 10 and beyond.

  • ✓ CTF-style challenges
  • ✓ Score tracking
  • ✓ Modern tech stack
  • ✓ API + SPA vulnerabilities
bash 
docker run --rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop
docker run --rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop
OWASP Juice Shop →

Network & System Exploitation

Metasploitable 2

Legacy

Classic vulnerable Linux VM for learning fundamentals. Treat it as legacy practice, not a model for modern enterprise exposure.

  • ✓ Vulnerable services
  • ✓ Weak configurations
  • ✓ Metasploit modules
  • ✓ Privilege escalation
Download from SourceForge →

Metasploitable 3

Legacy

Windows and Linux VMs with useful practice paths, but old operating systems and provisioning assumptions.

  • ✓ Windows Server 2008
  • ✓ Ubuntu 14.04
  • ✓ CTF-style flags
  • ✓ Vagrant provisioning
GitHub →

VulnHub VMs

Various

Hundreds of community-created vulnerable VMs, many with walkthroughs available.

  • ✓ Kioptrix series (beginner)
  • ✓ Mr. Robot (intermediate)
  • ✓ Stapler (intermediate)
  • ✓ Brainpan series (advanced)
vulnhub.com →

HackTheBox Retired

Various

Download retired HTB machines for offline practice (VIP subscription).

  • ✓ Real-world scenarios
  • ✓ Official walkthroughs
  • ✓ Windows & Linux
  • ✓ Various difficulties
hackthebox.com →

HackMyVM

Various

Free community-driven platform with actively maintained VMs, flag submission, and leaderboards. The modern alternative to VulnHub.

  • ✓ Actively maintained (new VMs weekly)
  • ✓ Flag submission & scoring
  • ✓ Difficulty ratings
  • ✓ Walkthroughs available
hackmyvm.eu →

Proving Grounds

Various

OffSec's official practice platform. PG Play is free with community VMs. PG Practice for OSCP prep.

  • ✓ PG Play (free tier)
  • ✓ PG Practice (paid, OSCP-like)
  • ✓ Community & OffSec-made machines
  • ✓ Windows & Linux targets
offsec.com/labs →

Quick Setup Script

Launch multiple vulnerable apps using Docker Compose:

yaml 
# docker-compose.yml for vulnerable lab
services:
  dvwa:
    image: vulnerables/web-dvwa
    ports:
      - "127.0.0.1:8081:80"
    
  juice-shop:
    image: bkimminich/juice-shop
    ports:
      - "127.0.0.1:3000:3000"
    
  webgoat:
    image: webgoat/webgoat
    ports:
      - "127.0.0.1:8080:8080"
      - "127.0.0.1:9090:9090"
    
  bwapp:
    image: raesene/bwapp
    ports:
      - "127.0.0.1:8082:80"

# Run with: docker compose up -d
# Verify:  curl -s http://localhost:3000 | head -5
# docker-compose.yml for vulnerable lab
services:
  dvwa:
    image: vulnerables/web-dvwa
    ports:
      - "127.0.0.1:8081:80"
    
  juice-shop:
    image: bkimminich/juice-shop
    ports:
      - "127.0.0.1:3000:3000"
    
  webgoat:
    image: webgoat/webgoat
    ports:
      - "127.0.0.1:8080:8080"
      - "127.0.0.1:9090:9090"
    
  bwapp:
    image: raesene/bwapp
    ports:
      - "127.0.0.1:8082:80"

# Run with: docker compose up -d
# Verify:  curl -s http://localhost:3000 | head -5

Troubleshooting FAQ

Can't reach vulnerable VM from Kali
  • Both VMs must be on the same network (host-only or NAT network)
  • Check IPs: ip addr on both machines
  • Try pinging from each direction to isolate the issue
  • VirtualBox: use "NAT Network" (not just "NAT") for VM-to-VM communication
VulnHub OVA import failing
  • Try importing with "Import Appliance" not drag-and-drop
  • If checksums fail, re-download the OVA
  • Some OVAs are VMware-only — convert with qemu-img convert
  • VirtualBox: uncheck "Import hard drives as VDI" if import fails
Docker container crashes immediately
  • Check logs: docker logs container_name
  • Port already in use: change host port (-p 9080:80)
  • Out of disk: docker system df and docker system prune
  • Architecture mismatch on Apple Silicon: add --platform linux/amd64

Go Deeper After Setup

Internal Pentest Turn target discovery into an internal assessment workflow. Network Security Compare vulnerable service exposure with defensive baselines.

Operational Safety Baseline

Apply these rules before running any lab command on this page.

  • Work only on systems you own or have explicit authorization to test.
  • Keep vulnerable services off your home LAN and off public interfaces.
  • Take clean snapshots before every exercise and before every vulnerable configuration change.
  • Use dedicated cloud accounts, subscriptions, and projects with billing alerts before deployment.
  • Write down the teardown command before you run the setup command.

Validation Checkpoints

  • -Kali and target share only the lab network
  • -Nmap sees expected services
  • -Snapshots exist before exploitation

Cleanup And Rollback

  • -Revert target snapshots after compromise
  • -Delete stale OVAs from downloads
  • -Document any custom target changes

Practice Next

Internal Pentest Network Security

Related Topics

Kali Linux Setup

Configure your attack machine

Active Directory Lab

Build a Windows domain for testing

Web Pentest Guide

Learn web exploitation techniques

Burp Suite Cheatsheet

Web proxy reference