Have you ever wondered where to start hacking, acquire more hacking knowledge and even train, test and improve your hacking skills? Here is a compilation, collection, list, directory of the best sites that will help you. The sites listed below will help you understand and practice every aspect of the secure (or rather insecure) side of software, networks (networking), servers and every single element that may be exposed in the(our) binary world.
Please note that this is a mere compilation, all credits go to their respective authors. Creating such challenges requires and involves a lot of time, knowledge and creativity. Respect their work.
Website list
The list is ordered in no particular way.
- Pwnable http://pwnable.kr/ Pwnable is a classic, one of all-time favorites. pwnable.kr is a non-commercial wargame site which provides various pwn challenges regarding system exploitation. The main purpose of pwnable.kr is ‘fun’. While playing pwnable.kr, you could learn/improve system hacking skills but that shouldn’t be your only purpose. The only thing you must do is click “play” on the upper left zone, choose a game and Pwn it. They provide a scoring system, the harder the challenge is, the more score you win.
- 24/7 CTF https://247ctf.com/ Join now to continuously test your skills across web, crypto, networking, reversing and exploitation vulnerabilities and challenges.
- CTFTIME https://ctftime.org/ One of the biggest Capture The Flag (CTF) archives. They classify the challenges by year and profide useful information and statistics. For example, each competition participating teams, the winning team, their members, their write-ups, etc…
- Over The Wire http://overthewire.org/wargames/ Again one of all-time favorites. The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games. To find out more about a certain wargame, just visit its page linked from the menu on the left. They have a suggested order to play the games in in their “About”.
- W3 Challenges https://w3challs.com/ W3Challs is a penetration testing training platform, which offers various computer challenges, in categories related to security: Hacking, Cracking, Wargame, Forensic, Cryptography and Programming. The purpose of this site is to offer realistic challenges, without simulation, and without guessing!
- Pwnable.tw https://pwnable.tw/ Pwnable.tw is a wargame site for hackers to test and expand their binary exploiting skills. Just as the .kr version (I actually don’t know if they’re related) the only thing you must do is click “challenges” con the upper left webpage tabs. They provide a scoring system, the harder the challenge is, the more score you earn. They also provide write-ups.
- Challenges.re https://challenges.re/ Website created by Dennis Yurichev, the writer of the awesome book “Reverse Engineering for Beginners” https://beginners.re/
- Reversing Hero https://www.reversinghero.com/ ReversingHero is a 15-challenges computer program, designed to teach you Reverse Engineering. It begins from the real basics, and continues into more advanced topics.
- ROP Emporium https://ropemporium.com/ Learn return-oriented programming through a series of challenges designed to teach ROP techniques in isolation, with minimal reverse-engineering and bug-hunting.
- picoCTF https://picoctf.com/ picoCTF is a computer security game targeted at middle and high school students. The game consists of a series of challenges centered around a unique storyline where participants must reverse engineer, break, hack, decrypt, or do whatever it takes to solve the challenge. The challenges are all set up with the intent of being hacked, making it an excellent, legal way to get hands-on experience. Their code is accessible via picoCTF Git repo
- CryptoHack https://cryptohack.org/ Get your hands dirty and learn about modern cryptographic protocols by solving a series of interactive puzzles and challenges.
- Hack The Box https://www.hackthebox.eu/ Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.
- Root Me https://www.root-me.org/en/Challenges/ The fast, easy, and affordable way to train your hacking skills. Root-me has a wide variety of challenges. CTFs, scripts, system, cracking, cryptanalysis, forensic, network, programming, realist, steganography, web-client, web-server.
- CrackMes https://crackmes.one/ This is a simple place where you can download crackmes to improve your reverse engineering skills. Crackmes.de does not exists anymore. Reversers need to find a place to upload their creation and help new people to learn from that great discipline. This place has been made in order to help you to improve your reversing skills. You can download some crackmes and submit solutions to them.
- TryHackMe https://tryhackme.com/ TryHackMe takes the pain out of learning and teaching Cybersecurity. Our platform makes it a comfortable experience to learn by designing prebuilt courses which include virtual machines (VM) hosted in the cloud ready to be deployed. This avoids the hassle of downloading and configuring VM’s. Our platform is perfect for CTFs, Workshops, Assessments or Training.
- Exploit Education https://exploit.education/ (Formerly Exploit-exercises) Exploit education provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.
- CTF365 https://ctf365.com/ CTF365 is a real life cyber range where users build their own servers and defend them while attacking other servers. It’s what would happen in real life when your server or computer networks are under attack by hackers.
- Hack This https://www.hackthis.co.uk/ Want to learn about hacking and network security? Discover how hacks, dumps and defacements are performed and secure your website against hackers with HackThis.
- Hack This Site https://www.hackthissite.org/ Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.
- Try2Hack http://www.try2hack.nl/ (You will probably get a browser warning about the page not being secure not https) This site provides several security-oriented challenges for your entertainment. It is actually one of the oldest challenge sites still around. The challenges are diverse and get progressively harder.
- Hacking Lab https://www.hacking-lab.com/index.html Hacking-Lab is an online ethical hacking, computer network and security challenge platform, dedicated to finding and educating cyber security talents. Hacking-Labs’ goal is to raise awareness towards increased education and ethics in information security through a series of cyber competitions that encompass forensics, cryptography, reverse-engineering, ethical hacking and defense. One key initiative for Hacking-Lab is to foster an environment that creates cyber protection through education.
- IO wargame http://io.netgarage.org/
- Smash The Stack - Wargaming Networking http://smashthestack.org/wargames.html The Smash the Stack Wargaming Network hosts several Wargames.
- CTF Katsudon https://ctf.katsudon.org/ctf4u/ Incredibly complete CTF collection and validation site. Baby, easy, medium easy, mediuam mediuam, mediuam hard and hard challenges awaits!
- CCN-CERT’s ATENEA (Spanish only) https://atenea.ccn-cert.cni.es/home Collection of interdisciplinary challenges issuing criptography, steganography, exploiting, forensics, networking and reversing.
- Linux privilege escalation https://in.security/lin-security-practise-your-linux-privilege-escalation-foo/ A Linux virtual machine that is based, at the time of writing, on an up-to-date Ubuntu distro (18.04 LTS), but suffers from a number of vulnerabilities that allow a user to escalate to root on the box. This has been designed to help understand how certain built-in applications and services if misconfigured, may be abused by an attacker.
- MicroCTFs https://github.com/gabemarshall/microctfs Small CTF challenges running on Docker
- Reversing.kr http://reversing.kr/ This site tests your ability to Cracking & Reverse Code Engineering. Now Challenge a problem for each environment. (Windows, Linux, .Net, Flash, Java, Python, Mobile..)
-
Microcorruption https://microcorruption.com/login Web-based CTF focused in teaching assembly language and low-level debugging.
- Tuoni labs https://tuonilabs.wordpress.com/ Cyber security write-ups, exploits and intro about verious topics like ROP (Return Oriented Programming), web exploitation, binary exploitation, reverse engineering, OSCP…
Courses, guided learning
- Nightmare https://github.com/guyinatuxedo/nightmare Nightmare is an intro to binary exploitation / reverse engineering course based around ctf challenges. I call it that because it’s a lot of people’s nightmare to get hit by weaponized 0 days, which these skills directly translate into doing that type of work.
- Privilege Escalation Cheatsheethttps://github.com/Ignitetechnologies/Privilege-Escalation/blob/master/README.md This cheatsheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples. It is not a cheatsheet for Enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same tasks. We have performed and compiled this list on our experience
- Exploiting and reversing with free tools Link (too long) (You will probably get a browser warning about the page not being secure not https) Guided course by the one and only Ricardo Narvaja. Exploting and reversing using only free tools. Both English and Spanish.
- Begin.re https://www.begin.re/ If you have been searching for a place to get started with Reverse Engineering and get your hands dirty, Begin.re is the right place. The correct place for x86 newcomers.
- Modern Binary Exploitation course http://security.cs.rpi.edu/courses/binexp-spring2015/
- Azeria’s basics on ARM https://azeria-labs.com/writing-arm-assembly-part-1/ Tutorial series on ARM assembly basics.
CTF Tools
- CTF Tools Collectionhttps://github.com/zardus/ctf-tools This is a collection of setup scripts to create an install of various security research tools. Of course, this isn’t a hard problem, but it’s really nice to have them in one place that’s easily deployable to new machines and so forth.
- Awesome CTFhttps://github.com/apsdehal/awesome-ctf A curated list of Capture The Flag (CTF) frameworks, libraries, resources, softwares and tutorials. This list aims to help starters as well as seasoned CTF players to find everything related to CTFs at one place.
- CTF Online Toolshttps://github.com/devploit/CTF_OnlineTools Repository to index interesting Capture The Flag online tools.
Other compilations
There are also other websites that, just like this one, in turn gather the best in order to bring us a huge variety of hacking training platforms/frameworks.
- Captf http://captf.com/practice-ctf/ List of CTF sites classified as recommended, others, meta, webapp, forensics, recruiting and paid. They also provide donloadable offline games and virtual machines you can download to train with. You can visit their main directory - http://captf.com to explore annual collections since 2004.
- CTFS repo https://github.com/ctfs Compilation of challenges and write-ups classified by year.
- Amanhardikar’s mindmap http://www.amanhardikar.com/mindmaps/Practice.html Penetration testing practice lab - vulnerable apps / systems. This one is huge as you will notice.
- Vulnhub https://www.vulnhub.com/ Their goal is simple: “To provide materials that allows anyone to gain practical ‘hands-on’ experience in digital security, computer software & network administration”
- Compilation of hacking sites covering a wide variety of topics https://tiwim.github.io/pages/linklist.html
- Online article (in spanish) “14 webs para poner a pruebas tus habilidades como hacker”. (14 webs to test your skills as a hacker) https://www.r3cybersecurity.com/webs-para-poner-a-prueba-habilidades-hacking/
Readings
- Reverse engineering reading list: https://github.com/onethawt/reverseengineering-reading-list
- Reversing CTFs basic intro: https://medium.com/bugbountywriteup/linux-reverse-engineering-ctfs-for-beginners-4cf03ff2cfb4
- G0Blin writeups https://g0blin.co.uk/
Author note
This compilation is in constant growth and change as it’s being actively maintained. If you miss a page and consider it is worth posting, have suggestions or find errors, please contact the author (@Razvieu).
Deprecated sites
Sites that once were available for public access but not anymore.
- Builds Hack Me http://ctf.slothparadise.com/ Not available anymore (21st October 2019) (However, the github repo is still available https://github.com/allanlw/builds-hackme) As soon as you enter the site, you will see no play button. This one is a real simulation, you must inspect source code and start digging to gather info and Pwn it :D
- Hackers.gg https://hackers.gg/ Not available anymore (21st October 2019)
- Pwnctf.io http://pwnctf.io/challenges Not available anymore (21st October 2019). You must register as a team in order to see the challenges. Afterward you can see the challenges are divided into steganography, crypography, forensics, web, reverse engineering, miscellaneous, recon, trivia and encoding.