Listed below are some of the best websites and platforms where you can play hacking games, solve challenges, hack realistic systems and web applications, etc.
Metasploitable 2 (offline, free)
Metasploitable is a Linux virtual machine that you can download and set up on your system. It is vulnerable and exploitable in almost every way possible. Recommended for beginners. You can find the exploitability guide here.
Damn Vulnerable Web Application a.k.a DVWA (offline, free)
DVWA is a web app using PHP and MySQL that is extremely vulnerable. It is available both as a package that you can setup on your own webserver, or as a full iso file.
- Download zip package (1.3MB, v1.9)
- Download Live CD (480MB, v1.0.7)
HackTheBox.eu (online, free, optional VIP subscription)
Registration on HackTheBox requires you to ‘hack’ your way in. It is a simple task. If you find yourself unable to get the invite code by yourself, you will have a very hard time solving their challenges and hacking their boxes. Learn some more then try again.
- Independent challenges : Reverse Engineering, Cryptography, Steganography, Web applications, and more.
- Servers: From easily hackable in 2 hours to dozens of hours of nightmares.
OverTheWire.org (online, free)
You don’t need to register. Just choose a game (each game requires different skills) and try to progress through the levels. Most games are SSH based. Various levels of difficulty from very easy to extremely hard.
HackThisSite.org (online, free)
Different missions requiring different skillsets, each with multiple levels and varying difficulties. Registration is required and is straightforward.
VulnHub.com (offline, free)
VulnHub hosts a large number of virtual machines which you can download and run on your own system and try to hack them. The goal is to get root privileges on that virtual machine. Varying difficulty levels and required skillsets.
HackThis.co.uk (online, free)
This websites offers challenges, similar to hackthissite.org and hackthebox.eu challenges. Registration is required.
Game Of Hacks (online, free)
You have to find the vulnerability in a piece of code, as quickly as possible.
Others
- WebGoat (OWASP project), instructions and downloads here.
- Damn Vulnerable iOS application.
- Google Gruyere, a very vulnerable web application based online, no need to download anything.
- PentesterLab.
- W3Challs, online challenges.
- bWAPP, another extremely vulnerable web app available for download, just the app or pre-installed on a VM.
- Hell Bound Hackers.
- ThisIsLegal, online challenges.
- Hackme
- HackerTest.net, 20 online challenges.
This post is constantly updated, more resources will be added.
You can also try the Vulnerable Client-Server Application (VuCSA), which is thick client CTF with non-HTTP traffic.