🌱 Beginner

Vulnerable Virtual Machines

Downloadable vulnerable VMs to practice exploitation techniques locally. Perfect for offline learning and building foundational skills.

Getting Started

Use VirtualBox or VMware to run these VMs. Set network to Host-Only or NAT to isolate from your main network. Never connect vulnerable VMs to the internet.

Web Application Practice

DVWA

Beginner

Damn Vulnerable Web Application - PHP/MySQL app with multiple security levels.

  • ✓ SQL Injection
  • ✓ XSS (Reflected, Stored, DOM)
  • ✓ Command Injection
  • ✓ File Upload
  • ✓ CSRF
  • ✓ Brute Force
bash 
docker run --rm -it -p 80:80 vulnerables/web-dvwa
docker run --rm -it -p 80:80 vulnerables/web-dvwa
GitHub →

bWAPP

Beginner

Buggy Web Application - Over 100 web vulnerabilities to exploit.

  • ✓ OWASP Top 10 coverage
  • ✓ 100+ vulnerabilities
  • ✓ API Security issues
  • ✓ XML/XXE attacks
bash 
docker run -d -p 80:80 raesene/bwapp
docker run -d -p 80:80 raesene/bwapp
itsecgames.com →

OWASP WebGoat

Intermediate

Java-based vulnerable app with guided lessons for each vulnerability type.

  • ✓ Guided lessons
  • ✓ Modern vulnerabilities
  • ✓ JWT attacks
  • ✓ Client-side security
bash 
docker run -p 8080:8080 -p 9090:9090 webgoat/webgoat
docker run -p 8080:8080 -p 9090:9090 webgoat/webgoat
OWASP WebGoat →

OWASP Juice Shop

Intermediate

Modern Node.js app with 100+ challenges covering OWASP Top 10 and beyond.

  • ✓ CTF-style challenges
  • ✓ Score tracking
  • ✓ Modern tech stack
  • ✓ API + SPA vulnerabilities
bash 
docker run --rm -p 3000:3000 bkimminich/juice-shop
docker run --rm -p 3000:3000 bkimminich/juice-shop
OWASP Juice Shop →

Network & System Exploitation

Metasploitable 2

Beginner

Classic vulnerable Linux VM for learning Metasploit and basic exploitation.

  • ✓ Vulnerable services
  • ✓ Weak configurations
  • ✓ Metasploit modules
  • ✓ Privilege escalation
Download from SourceForge →

Metasploitable 3

Intermediate

Windows & Linux VMs with more modern vulnerabilities and flags to find.

  • ✓ Windows Server 2008
  • ✓ Ubuntu 14.04
  • ✓ CTF-style flags
  • ✓ Vagrant provisioning
GitHub →

VulnHub VMs

Various

Hundreds of community-created vulnerable VMs, many with walkthroughs available.

  • ✓ Kioptrix series (beginner)
  • ✓ Mr. Robot (intermediate)
  • ✓ Stapler (intermediate)
  • ✓ Brainpan series (advanced)
vulnhub.com →

HackTheBox Retired

Various

Download retired HTB machines for offline practice (VIP subscription).

  • ✓ Real-world scenarios
  • ✓ Official walkthroughs
  • ✓ Windows & Linux
  • ✓ Various difficulties
hackthebox.com →

HackMyVM

Various

Free community-driven platform with actively maintained VMs, flag submission, and leaderboards. The modern alternative to VulnHub.

  • ✓ Actively maintained (new VMs weekly)
  • ✓ Flag submission & scoring
  • ✓ Difficulty ratings
  • ✓ Walkthroughs available
hackmyvm.eu →

Proving Grounds

Various

OffSec's official practice platform. PG Play is free with community VMs. PG Practice for OSCP prep.

  • ✓ PG Play (free tier)
  • ✓ PG Practice (paid, OSCP-like)
  • ✓ Community & OffSec-made machines
  • ✓ Windows & Linux targets
offsec.com/labs →

Quick Setup Script

Launch multiple vulnerable apps using Docker Compose:

yaml 
# docker-compose.yml for vulnerable lab
services:
  dvwa:
    image: vulnerables/web-dvwa
    ports:
      - "8081:80"
    
  juice-shop:
    image: bkimminich/juice-shop
    ports:
      - "3000:3000"
    
  webgoat:
    image: webgoat/webgoat
    ports:
      - "8080:8080"
      - "9090:9090"
    
  bwapp:
    image: raesene/bwapp
    ports:
      - "8082:80"

# Run with: docker compose up -d
# Verify:  curl -s http://localhost:3000 | head -5
# docker-compose.yml for vulnerable lab
services:
  dvwa:
    image: vulnerables/web-dvwa
    ports:
      - "8081:80"
    
  juice-shop:
    image: bkimminich/juice-shop
    ports:
      - "3000:3000"
    
  webgoat:
    image: webgoat/webgoat
    ports:
      - "8080:8080"
      - "9090:9090"
    
  bwapp:
    image: raesene/bwapp
    ports:
      - "8082:80"

# Run with: docker compose up -d
# Verify:  curl -s http://localhost:3000 | head -5

Troubleshooting FAQ

Can't reach vulnerable VM from Kali
  • Both VMs must be on the same network (host-only or NAT network)
  • Check IPs: ip addr on both machines
  • Try pinging from each direction to isolate the issue
  • VirtualBox: use "NAT Network" (not just "NAT") for VM-to-VM communication
VulnHub OVA import failing
  • Try importing with "Import Appliance" not drag-and-drop
  • If checksums fail, re-download the OVA
  • Some OVAs are VMware-only — convert with qemu-img convert
  • VirtualBox: uncheck "Import hard drives as VDI" if import fails
Docker container crashes immediately
  • Check logs: docker logs container_name
  • Port already in use: change host port (-p 9080:80)
  • Out of disk: docker system df and docker system prune
  • Architecture mismatch on Apple Silicon: add --platform linux/amd64

Related Topics

Kali Linux Setup

Configure your attack machine

Active Directory Lab

Build a Windows domain for testing

Web Pentest Guide

Learn web exploitation techniques

Burp Suite Cheatsheet

Web proxy reference