I often get asked from many of my friends and colleagues about where should I start to learn to hack. My answer always includes a handful of hacking websites which I found very useful during my journey in this awesome industry. Today I will share with you the best hacking websites you should definitely use.
For those who stumbled upon this blog for the first time, it is dedicated to helping you learn and become a better ethical hacker, the topics cover web application hacking, penetration testing and bug bounty hunting.
Why are hacking websites important?
I always say that you can’t learn hacking without practice. Unfortunately, you can’t practice by hacking arbitrary websites because it is unethical and illegal, to say the least. You could develop your own web applications and then hack them, but that would take a lot of time and effort especially if you are not a developer. This is where hacking websites come into play. In fact, they offer a practical playground ready to be hacked by everyone. If you want to focus on learning a specific vulnerability, you can solve the corresponding challenges. Alternatively, if you want to hack a machine from the start and become root, you can play boot2root challenges. You can even participate in live Capture The Flag challenges, either alone or with a team, and play against other teams. This offers a tremendous opportunity for you not only to learn hacking but also to sharpen your skills and keep them up to date.
How to learn from hacking websites?
Some hacking websites offer challenges without solutions. You might think that this is not practical, but it’s the best way for you to learn. In fact, rushing into the solution without putting in enough effort will not benefit you in any way. When you take your time to understand the problem and solve it on your own, you will never forget it! Besides, real-life hacking involves so many rabbit holes, long hours trying to understand and exploit security vulnerabilities. So, you will be learning while preparing yourself for your future real targets.
Google Gruyere: A hacking website from Google
Google gruyere is a deliberately vulnerable web application that you can hack to learn about many security vulnerabilities. It is available online, which means that you don’t need any lab setup. It includes well-known issues like Cross-Site Scripting, Command Injection and CSRF. Additionally, you can also download the source code to inspect it and perform white-box testing.
Google gruyere is great for beginners because it explains each vulnerability at a time with a corresponding challenge. If you feel blocked, you can show the collapsed hints. Even though it also includes the solution, I don’t recommend you see it.
- Easy to use.
- Great explanations.
- Very useful for absolute beginners.
A limited number of vulnerabilities.
Vulnhub: The best hacking website for local boot2root machines
If you have a slow connection and you want to eliminate network latency when you are doing ethical hacking, then VulnHub is your friend. In fact, it is a hacking website which collects virtual machines that you can download one time and install locally on your host using virtualization software such as VirtualBox or VMWare. VulnHub offers so many machines in all difficulty levels. In such scenarios, you boot the virtual machine and your goal is to become root. This is known as a boot2root challenge.
For each machine, there is usually a publicly available solution, but I don’t recommend you read it until you exhaust all the ideas you have in mind. Unfortunately, there are no hints and no forum to exchange ideas between the community members.
- Offline hacking eliminates network latency.
- A large choice of Virtual Machines to choose from.
- There is no forum.
- Sometimes, you need to troubleshoot some networking issues when the VM is not reachable from your host machine.
Root me: My old favourite hacking website
Root-me.org is a mature hacking platform that you can use to practice ethical hacking. It is much more than just a simple hacking website. In fact, it offers challenges in many areas, such as web, cryptography, cracking, networking and more. Besides, it hosts CTF boot2root rooms that you can use to boot and hack a live target to become root. Some of these machines come from VulnHub, which makes it convenient for those who don’t like to set up a personal lab. Furthermore, it has a leaderboard and a strong and live community that you can interact with it using IRC or through the forum. Additionally, it offers professional services for companies which seek employees, hacking training, etc.
This ethical hacking platform provides solutions for the challenges it offers. However, you can’t see one unless you solve the corresponding challenge first. This is a great feature because it encourages you to make an effort on your own. To help you during this tough process, it provides you with related documentation that you can use to understand and solve the challenges on your own. Besides, you can find hints in the forum threads, post a message in the IRC chat, or even contact someone who has already solved the challenge.
- Four languages: English, French, German and Spanish.
- Diversified challenges.
- Strong community.
Honestly, I don’t have any. It’s a great platform!
hackthebox: The hacking website for OSCP
After I became top 100 on root-me and rooted a handful of CTF machines, I wanted to tackle challenges similar to the OSCP certification. I Google “OSCP like machines” and I find hackthebox.eu. They offer most of what root-me.org has, with some key differences.
Firstly, you can’t register unless you hack your way in. After you find the flag, you can log in to the platform. It’s not hard to solve that preliminary challenge; it’s just a way to prove that you deserve having an account on this hacking website.
Once I log in, I notice that the user interface is more elegant than the one of root-me.org. I know design taste is a matter of perspective and I don’t really judge a platform by its appearance, but this one just felt professional. On the menu on the left, you can download the VPN file, discover the challenges, the labs, the forum, etc.
Accessing this hacking website through the VPN
One of the key differences between root-me and hackthebox is VPN. In fact, to hack the available machines on the latter, you download your connection pack. Then, you connect to the infrastructure with OpenVPN, an open-source software that allows you to connect using VPN. Don’t get scared if this seems new to you; everything is explained on the platform and you just have to follow the steps.
The challenges and boot2root machines
On the one hand, hackthebox offers challenges the same way root-me does, but the number is still way lower. You don’t need a VPN to access the challenges.
On the other hand, hackthebox offers a wide range of boot2root machines. If you want to prepare for your OSCP certification, this is where you should spend most of your time.
In the free plan, you have access to the new ones. Once they retire, you need a paid plan to be able to hack them. As I mentioned earlier, you need to set up a VPN connection to reach them.
In addition to the awesome boot2root machines, hackthebox offers many hacking labs. These are a couple of machines that compose a full infrastructure. Few of them are accessible directly through the VPN, but most of them require you to obtain a foothold on the infrastructure.
Some of these labs are Active Directory infrastructures developed by hackthebox itself, others are provided by companies which seek ethical hackers to join them. You can find all of them on the menu on the left.
You can join the community and interact with its members through many communication channels, such as the forum, the Discord server and the Mattermost space. You can also send private messages to members and broadcast messages using the shoutbox.
All these communication channels are available on the left menu.
- Great quality machines, ideal for OSCP certification preparation.
- Diversified challenges.
I honestly don’t see any!
TryHackMe: A new rising hacking website star
This hacking platform is recent. However, it contains exhaustive hacking material in new forms I haven’t seen in any other hacking website.
Accessing TryHackMe challenges
As it is the case with hackthebox, this platform also provides a VPN package that you can use to access the hacking challenges. However, only UDP is supported. If you are in a network which blocks UDP, you can’t currently bypass it as you would do with hackthebox.
These are corners which focus on teaching one thing. For example, if you want to learn the basics of penetration testing, there is a room for that. The same thing for learning how to use Linux and the list goes on. All you have to do is search for the room you want using a filtering system, then enroll and start learning. Some rooms need a paid subscription.
If you are a total beginner in a subject, the learning paths help you cover the basics. These are paid by definition.
King of the Hill
These are CTF challenges like you would see in a typical boot2root scenario, with a key twist! In fact, you can put your name in the file under /root/king.txt to become the king and start gaining points. The players not only exploit the vulnerabilities within the machine, but they also strive to earn the highest score by staying king as long as possible.
You can interact with the community through many communication channels, such as Discord, Twitter, Direct messages, etc.
- The rooms and the learning paths are great to learn new subjects.
- King of the Hill are fun CTFs.
- The community is live.
- The VPN package doesn’t support TCP.
hacker101: The hacking website for bug bounty hunters
I’ve talked this hacking website provides on previous episodes, such as when I talked about my bug bounty methodology. This hacking website provides a solid playground for bug bounty hunters with diversified challenges that will twist your mind. They are designed to mimic the real bugs you would find during bug bounty hunting. Besides, you collect points for each challenge you solve, which allows you to get an invite from a private program on HackerOne. However, it doesn’t only provide hacking challenges. In my opinion, there are two other resources you can learn from besides the hacking challenges.
The first one is the Discord server where you can connect and engage with the bug bounty community members.
The second resource I want to draw your attention to is the introductory videos that explain many subjects that relate to bug bounty hunting. Things like web vulnerabilities and mobile hacking.
- Great videos resources for future bug bounty hunters
- The challenges are unique and similar to what you would find during bug bounty hunting.
- Vibrant bug bounty community in the Discord server.
The hacking content and the features are still quite limited compared to other hacking platforms.
Which one of these hacking websites to choose?
You might have started to feel overwhelmed with all these hacking websites and platforms. I hear you wondering where should I start? And do I have to subscribe and use all of them?
The answer is no! While each hacking website and platform brings its unique features and user experience, all of them share the same core building blocks, which are hands-on challenges. As the number of such resources contains to grow, you just have to choose one or two which suit your taste and needs. Occasionally, you may experiment with new rising hacking websites and platforms, which might replace your current ones.
I started my hacking journey when the major hacking websites I had were VulnHub and Root-me around. Once I discovered hackthebox, I got addicted to their machines, especially since I was preparing my OSCP certification. Lately, I came across tryhackme, which offered a great gamification experience on top of the practical hacking content.
In this article, I tried to collect the best hacking websites and platforms that will surely help you in your hacking career. Whether you are an absolute beginner or an advanced ethical hacker, I’m sure you will find a match.
However, this is not a complete list. There are other hacking websites like OWASP WebGoat and OWASP JuiceShop, which I have used as a hacking lab for the OWASP Top 10 training. Then, there is Portswigger Academy which I already covered in a previous episode. And finally, there is the classic CTFtime, which is dedicated to Capture the Flag events.