Recommended Boot2Root Machines

After some research I created this personal “to-do” list of recommended/famous/must-solve/you name it, Boot2Root machines from Vulnhub HTB and a few other sources mainly focused on OSCP preparation.

The list is NOT only about machines similar to OSCP but is focused on preparing for it.
It includes machines that are way easier or harder than OSCP but are worth solving as you will definitely learn something new from each one, practice and get more confident about your skills.
My suggestion is to solve at least 50 machines from Vulnhub & HTB before you dive for your OSCP exam.

While solving them don’t forget to avoid using Automatic exploitation tools such as SQLmap as the exam forbids them. (https://support.offensive-security.com/oscp-exam-guide/) and also try to avoid Metasploit as you are allowed to use it only on one machine in the exam and besides that doing it the manual way is always better for educational purposes.

Resources Labs Important notes

Don’t forget to check these awesome courses focused specifically on OSCP prep.

-> Udemy Practical Ethical Hacking

Most students struggle with Privilege Escalation : Check these awesome courses from Tib3rius and The Cyber Mentor on Udemy
https://www.udemy.com/course/linux-privilege-escalation/
https://www.udemy.com/course/linux-privilege-escalation-for-beginners/
https://www.udemy.com/course/windows-privilege-escalation/
https://www.udemy.com/course/windows-privilege-escalation-for-beginners/

Also check the following links I have collected with useful OSCP related stuff.

OSCP-Survival-Guide
TJnull’s Preparation Guide for PWK/OSCP
Github OSCP Prep
OSCP survival guide
Github OSCP Prep 2
Total OSCP guide
OSCP Basic notes
OSCP Fun Guide
Guide for OSCP with chapters
Newbie to OSCP
How to Pass OSCP Like Boss.
Passing OSCP – scund00r
OSCP useful resources and tools
OSCP Human Guide
How to pass the OSCP
A curated list of awesome OSCP resources
A reconnaissance tool made for the OSCP labs
HackTheBox OSCP-like Machines

TryHackMe offers a great practical course specifically for OSCP preparation.

The OSCP learning path is great for either pre-preperation prior to purchasing the OSCP course or to help re-consolidate your knowledge whilst following the official OSCP resources. It includes 18 boxes (for now) that also cover Windows Privilege Escalation and Buffer Overflow / Reversing topics that are kinda rare to find on Vulnuhub.
https://tryhackme.com/paths
Read my review here: https://emaragkos.gr/infosec-adventures/tryhackme-oscp-preparation-path-review/

Virtual Hacking Labs (VHL) is an awesome way to practice for OSCP.

Besides the awesome lab with more than 40 realistic boxes, you will get a 370+ page courseware that is one of the best resources I have found out there.
Read my review here: https://emaragkos.gr/infosec-adventures/virtual-hacking-labs-review-oscp-prep/

All OSCP-similar boxes (Vulnhub – HTB) are confirmed by NetSecFocus
Latest OSCP-similar confirmed boxes update: (March 2020).

Vulnhub Linux Machines

Name	Difficulty	Completed	OSCP-prep Confirmed	Short Notes (No big spoilers)	Recommended writeup
RICKdiculouslyEasy 1	Easy	YES	YES	Really CTFish, Flags, Enumeration, Web, RCE, Bruteforce, Stego, Fun to solve	https://emaragkos.gr/vulnhub-writeups/rickdiculouslyeasy-1-vulnhub-walkthrough/
pWnOS: 2.0 (Pre-Release)	Easy	YES	YES	Realistic, Web, Enumeration, Easy SQLi	https://medium.com/infosec-adventures/pwnos-2-0-walkthrough-fc2e4ef1ad55
SickOs: 1.1	Easy	YES		Creator mentions that "This vm is very similar to labs I faced in OSCP." Personally I found it pretty easy compared to other machines that mention the same thing. CTFish, Enumeration, Web, Not really original except the proxy thing (no spoilers).	https://www.youtube.com/watch?v=kkHYPRmS4kw
SickOs: 1.2	Easy		YES
Dina: 1.0.1	Easy	YES	YES	Web, Not really original	https://emaragkos.gr/vulnhub-writeups/dina-101-vulnhub-walkthrough/
LazySysAdmin 1.0	Easy	YES		CTFish, Flags, Web, SMB	https://emaragkos.gr/vulnhub-writeups/lazysysadmin-1-0-vulnhub-walkthrough/
JIS-CTF	Easy	YES		Not really original, Poor challenges, Bad English, CTFish, Flags, Web, Enumeration	https://medium.com/@w3rallmachines/jis-ctf-vulnupload-vulnhub-walkthrough-b33ba57b2be0
Stapler: 1	Easy	YES	YES	CTFish, Flags, Enumeration, Bruteforce, Web, Rabbit Holes	https://www.mrb3n.com/?p=81
unknowndevice64: 1	Easy	YES		CTFish, Web, Stego, Bruteforce, Web, Rabbit Holes, Restricted shell	https://www.hackingarticles.in/unknowndevice64-1-vulnhub-lab-walkthrough/
NullByte: 1	Easy	YES	YES	CTFish, Web, Enum, Stego, Fuzzing, SQLi, Interesting Priv Esc	https://www.hackingarticles.in/hack-nullbyte-vm-ctf-challenge/
billu: b0x	Easy	YES
billu: b0x 2	Easy	YES		Enumeration, Web, CVE, Common easy priv esc	https://www.hackingarticles.in/hack-the-billu-b0x-2-vm-boot-to-root/
pluck: 1	Easy	YES		Realistic, Web, LFI, Outdated software, Not that easy, I would rate medium	https://mrh4sh.github.io/pluck-solution
Toppo: 1	Easy	YES	YES	Web, Enumeration, Common Priv Esc, Really easy and simple box	https://medium.com/@ikuamike/toppo-1-vulnhub-vm-writeup-6ef37586345e
g0rmint: 1	Easy
Misdirection	Easy	YES		Web, Enumeration, Common Priv Esc, Easy and simple box	https://purpl3f0xsec.tech/2019/10/04/Vulnhub-misdirection.html
Hackme 1	Easy	YES	YES	Really really really easy box, Web, Enumeration, Easy SQLi	https://www.hackingarticles.in/hackme-1-vulnhub-walkthrough/
Hackademic: RTB1	Easy	YES		Realistic, Really Outdated software, Enumeration, Web, Common Priv Esc	https://chousensha.github.io/blog/2016/07/18/pentest-lab-hackademic-rtb1/
Tr0ll: 1	Easy	YES		Really CTFish, Rabbit Holes, Trolling, Enumeration, Web, Trolling again, Basic Priv Esc	https://www.sw1tch.net/2014/08/16/walkthrough-for-tr0ll-1/
Kioptrix: Level 1 (#1)	Easy	YES	YES	Meh, not really original	https://emaragkos.gr/vulnhub-writeups/kioptrix-level-1-vulnhub-walkthrough/
Kioptrix: Level 1.1 (#2)	Easy	YES	YES	Web, SQLi, RCE	https://www.abatchy.com/2016/12/kioptrix-2-walkthrough-vulnhub
Kioptrix: Level 1.2 (#3)	Easy	YES	YES	Enumeration, Web, CVE, SQLi, RCE, Common priv esc	https://www.abatchy.com/2016/12/kioptrix-3-walkthrough-vulnhub
Kioptrix: Level 1.3 (#4)	Easy	YES	YES	Enumeration, Web, SQLi, Restricted shell, Common priv esc	https://jhalon.github.io/vulnhub-kioptrix4/
Kioptrix: 2014 (#5)	Easy	YES	YES	Web, Enumeration, FreeBSD, CVE, LFI, RCE, Common priv esc	https://www.abatchy.com/2017/01/kioptrix-2014-5-walkthrough-vulnhub
Tr0ll: 2	Medium	NO (I tried, not ready yet, BOF)	YES	Kinda stupid CTFish, Rabbit Holes, Trolling, Enumeration, Web, Trolling again, BOF Priv Esc	https://www.doyler.net/security-not-included/tr0ll-2-walkthrough-you-gotta-pay-the-troll-toll
DeRKnStiNK 1	Medium	YES	YES	CTFish, Flags, Web	https://emaragkos.gr/vulnhub-writeups/vulnhub-derknstink-1-walkthrough/
covfefe: 1	Medium	YES		CTFish, Flags, Enumeration, Bruteforce, Interesting noob friendly intro to BOF	https://emaragkos.gr/vulnhub-writeups/vulnhub-covfefe-walkthrough/
FristiLeaks: 1.3	Medium	YES	YES	CTFish, Enumeration, Web, Cryptography, Interesting PrivEsc	https://5h4d0wb0y.github.io/2017-04-10-fristileaks/
HackInOS: 1	Medium	YES	YES	Awesome machine, Original, Web, Coding, Fuzzing, Bruteforce, Interesting PrivEsc, Pivoting	https://www.hackingarticles.in/hackinos1-vulnhub-lab-walkthrough/ https://pentestmafia.github.io/Vulnhub/writeup/hackinos1.html
Lord Of The Root: 1.0.1	Medium	NO (I tried, not ready yet)	YES	Awesome machine, Original, Enumeration, Port Knocking, Web, Multiple ways for PrivESC with Advanced ASLR BOF or MYSQL	https://barnyserver.com/ctf/2018/03/ctf-lord-of-the-root-1-0-1/
Mr-Robot: 1	Medium	YES	YES	CTFish, Flags, Enumeration, Bruteforce, Interesting PrivEsc	https://nikolaskama.me/mr-robot-1-writeup/
SkyTower: 1	Medium	YES	YES	CTFish, Enumeration, Web, SQLi filtering, Proxy	https://highon.coffee/blog/skytower-walkthrough/
Tommy Boy: 1	Medium	NO (Extremely CTF-ish, got bored, gave up and just read a writeup)	YES	Extremely CTF-ish, A lot of enumeration, Bruteforce, Web, Rabbit Holes	https://g0blin.co.uk/tommy-vulnhub-writeup/
zico2: 1	Medium	YES	YES	CTFish, Enumeration, Web, LFI, CVE	https://www.hackingarticles.in/hack-zico2-vm-ctf-challenge/
W1R3S: 1.0.1	Medium
GoldenEye: 1	Medium	YES	YES	Enumeration, Bruteforce, Really CTFish, Interesting WebApp Exploitation, Typical PrivEsc with a few catches.	http://www.anonhack.in/2018/07/goldeneye-1-walkthrough-vulnhub-vulnerable-machine/
W34kn3ss: 1	Medium	YES	YES	Enumeration, Web, CVE, Weak Encryption, Interesting PrivEsc	https://www.hackingarticles.in/w34kn3ss-1-vulnhub-lab-walkthrough/
Bob: 1.0.1	Medium	YES	YES	Enumeration, Web, Command Injection, Pretty chaotic path to priv esc that in the end is just common	https://medium.com/@falconspy/bob-1-0-1-vulnhub-walkthrough-c0f61d3380d1
Hackademic: RTB2	Medium	YES		Realistic, Really Outdated software, Enumeration, Web, SQLi, Port Knocking, Common Priv Esc	https://www.hackingarticles.in/hack-the-hackademic-rtb2-boot2root/
symfonos: 1	Medium	YES	YES	Awesome box, Highly recommended, Web, SMB, SMTP, LFI to RCE, Typical priv esc	https://www.hackingarticles.in/symfonos1-vulnhub-walkthrough/
symfonos: 2	Medium	YES	YES	Awesome box, Highly recommended, Web, SMB, Pivoting, CVE, Typical priv esc	https://0x23b.github.io/posts/vulnhub/2019-08-09-vulnhub_symfonos_2_writeup/
symfonos: 3	Medium	YES	YES	Awesome box, Highly recommended, Web, Enumeration, Shellshock, Sniffing	https://blog.mzfr.me/vulnhub-writeups/2019-07-20-symfonos3
symfonos: 4	Medium		YES
symfonos: 5	Medium		YES
Super Mario Host: 1.0.1	Medium			Pivoting
Pwnlab	Medium		YES
Temple of Doom	Medium		YES
Web Developer 1	Medium		YES
Escalete_Linux 1	Medium		YES
DC6	Medium		YES
DC9	Medium		YES	Awesome box, Web, SQLi, LFI, Port Knocking, Bruteforcing, Interesting Priv Esc	https://www.youtube.com/watch?v=_Aa8125CQ0g
The Necromancer: 1	Hard
HackLAB: Vulnix	Hard	NO (I tried, not ready yet)	YES	Focuced on enumeration, Many ports, Interesting and more advanced enumeration than most of the machines, Requires solid understanding of Linux	https://www.rebootuser.com/?p=988
WinterMute: 1	Hard		YES
Pegasus: 1	Hard	NO (I tried, not ready yet)	YES	Original, Web, Enumeration, BOF	https://g0blin.co.uk/pegasus-vulnhub-writeup/
Prime 1	Hard		YES
Breach: 1	Hard		YES
Breach: 2.1	Hard	YES	YES	Indeed a difficult box, CTFish, Multiple steps for rooting it, Getting shell with XSS, I must say I didn't really enjoy it because it had many guessing parts	https://reedphish.wordpress.com/2016/10/16/breach-2-1-walkthrough/
Breach: 3.0.1	Hard		YES
Sokar: 1
SolidState: 1	Medium	YES	YES	Web, SMPT, CVE, rbash, Common priv esc with a few twists	https://0x00sec.org/t/htb-solidstate-write-up/5129
OwlNest: 1.0.2
digitalworld.local: MERCY v2			YES
digitalworld.local: JOY			YES
digitalworld.local: BRAVERY			YES
digitalworld.local: DEVELOPMENT			YES
Brainpan: 1		NO (I tried, not ready yet)	YES
Brainpan: 2
Brainpan: 3
myHouse7: 1
Tempus Fugit: 1
Kvasir: I				Pivoting
VulnOS 2			YES
Pinkys Palace v1			YES
Pinkys Palace v2			YES
Sar 1	Easy	YES		Web, CVE, RCE, Common Priv Esc
Djinn 1
EVM 1
Prime 1			YES
Nebula			YES
IMF: 1
Raven 1
Raven 2
Fowsniff: 1
NODE: 1	Medium
WAKANDA: 1	Medium
LIN.SECURITY: 1
NINEVEH: V0.3
XTREME VULNERABLE WEB APPLICATION (XVWA): 1
H.A.S.T.E: 1	Medium
BORN2ROOT: 2
DROOPY: V0.2	Easy
DARKNET: 1.0	Hard

Note: HTB machines are categorized by platform Windows/Linux and are sorted by difficulty. OSCP-like machines are reported by users to usually be bellow 5 in the HTB difficulty scale.

IppSecs’ videos categorized by OS and difficulty!

Search IppSecs’ videos context by text!

HackTheBox Linux Machines

Name	Difficulty (HTB rating)	Completed	OSCP-prep Confirmed	Short Notes (No spoilers)	Skills Required	Skills Learned	Recommended writeup
Lame	2.7	YES	YES	Lame is a beginner level machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.	● Basic knowledge of Linux ● Enumerating ports and services	● Identifying vulnerable services ● Exploiting Samba	https://www.youtube.com/watch?v=Ru8YxARNS7M
Bashed	3.5	YES	YES	Bashed is a fairly easy machine which focuses mainly on fuzzing and locating important files. As basic access to the crontab is restricted.	● Basic knowledge of Linux ● Enumerating ports and services	● Basic web fuzzing techniques ● Locating recently modified files	https://www.youtube.com/watch?v=2DqdPcbYcy8
Nibbles	3.7	YES	YES	Nibbles is a fairly simple machine, however with the inclusion of a login blacklist, it is a fair bit more challenging to find valid credentials. Luckily, a username can be enumerated and guessing the correct password does not take long for most.	● Basic knowledge of Linux ● Basic understanding of web	● Enumerating web applications ● Guessing probable passwords enumeration techniques ● Bypassing login rate limiting ● Exploiting NOPASSWD	https://www.youtube.com/watch?v=s_0GcRGv6Ds
Mirai	3.8	YES		Mirai demonstrates one of the fastest-growing attack vectors in modern times; improperly configured IoT devices. This attack vector is constantly on the rise as more and more IoT devices are being created and deployed around the globe, and is actively being exploited by a wide variety of botnets. Internal IoT devices are also being used for long-term persistence by malicious actors.	● Intermediate knowledge of Linux ● Enumerating ports and services ● Basic knowledge of the Mirai botnet	● Identifying an IoT device ● Forensic file recovery	https://www.youtube.com/watch?v=SRmvRGUuuno
Shocker	3.8	YES	YES	Shocker, while fairly simple overall, demonstrates the severity of the renowned Shellshock exploit, which affected millions of public-facing servers.	● Basic knowledge of Linux ● Exploiting NOPASSWD	● Exploiting shellshock ● Enumerating ports and services	https://www.youtube.com/watch?v=IBlTdguhgfY
Beep	3.9	YES	YES	Beep has a very large list of running services, which can make it a bit challenging to find the correct entry method. This machine can be overwhelming for some as there are many potential attack vectors. Luckily, there are several methods available for gaining access.	● Basic knowledge of Linux ● Enumerating ports and services	● Web-based fuzzing ● Identifying known exploits ● Exploiting local file inclusion vulnerabilities	https://www.youtube.com/watch?v=XJmBpOd__N8
Sense	3.9		YES
Poison	3.9		YES
Sunday	4.1		YES
Valentine	4.2		YES
Solidstate	4.3		YES
Popcorn	4.3
Cronos	4.4		YES
Haircut	4.7
Nineveh	5.4		YES
Node	6.2		YES
TartarSauce	6.2		YES
Brainfuck	6.8		YES
Kotarak	6.9
Irked			YES
Friendzone			YES
Swagshop			YES
Networked			YES
Jarvis			YES
October			YES
Frolic			YES
LaCasaDePapel			YES
Hawk			YES
Magic			YES

HackTheBox Windows Machines

Name	Difficulty (HTB rating)	Completed	OSCP-prep Confirmed	Short Notes (No spoilers)	Skills Required	Skills Learned	Recommended writeup
Legacy	2.4	YES	YES	Legacy is a fairly straightforward beginner-level machine which demonstrates the potential security risks of SMB on Windows. Great place to start even if this is your first machine ever. As the name says is about a Legacy OS and a good old rockstar of exploits, the infamous ms08_067_netapi.	● Basic knowledge of Windows ● Enumerating ports and services	● Identifying vulnerable services ● Exploiting SMB	https://www.youtube.com/watch?v=wOeYLZazLGI
Blue	2.5	YES	YES	A really simple machine that shows the power of ms17_010_eternalblue. Another rockstar exploit that you should definitely know how to handle. Nothing fancy here but still a really nice machine for beginners.	● Basic knowledge of Windows ● Enumerating ports and services	● Identifying Windows targets using SMB ● Exploit modification (optional)	https://www.youtube.com/watch?v=YRsfX6DW10E
Jerry	2.9	YES	YES	Although Jerry is one of the easier machines on Hack The Box, it is realistic as Apache Tomcat is often found exposed and configured with common or weak credentials. Simple machine, Basic enumeration, Introduction to msfvenom, Easy privsec	● Basic Python/Ruby etc. or familiarity with web brute force attack tools	● Basic script debugging ● Custom war file payload creation ● SILENTTRINITY post-exploitation framework installation and usage (courtesy of IppSec Jerry video)	https://www.youtube.com/watch?v=PJeBIey8gc4
Granny	3.6	YES	YES	Granny, while similar to Grandpa, can be exploited using several different methods. The intended method of solving this machine is the widely-known Webdav upload vulnerability.	● Basic knowledge of Windows ● Enumerating ports and services	● Identifying known vulnerabilities ● Identifying stable processes ● Basic Windows privilege escalation techniques	https://www.youtube.com/watch?v=ZfPVGJGkORQ
Grandpa	3.7	YES	YES	Grandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploited CVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousands of IIS servers around the globe when it became public knowledge.	● Basic knowledge of Windows ● Enumerating ports and services	● Identifying known vulnerabilities ● Identifying stable processes ● Basic Windows privilege escalation techniques	https://www.youtube.com/watch?v=ZfPVGJGkORQ
Optimum	3.7	YES	YES	Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete.	● Basic knowledge of Windows ● Enumerating ports and services	● Identifying vulnerable services ● Identifying known exploits ● Basic Windows privilege escalation techniques	https://www.youtube.com/watch?v=kWTnVBIpNsE
Devel	3.7	YES	YES	Devel, while relatively simple, demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.	● Basic knowledge of Windows ● Enumerating ports and services	● Identifying vulnerable services ● Exploiting weak credentials ● Basic Windows privilege escalation techniques	https://www.youtube.com/watch?v=2LNyAbroZUk
Chatterbox	4.0		YES
Bounty	4.8		YES
Bastard	5.0		YES
Jeeves	5.0		YES
Silo	5.2		YES
Reel	6.1
Bart	6.3
Tally	6.5
Arctic			YES
Conceal			YES
Forest			YES
BankRobber			YES
Active
Mantis
Sizzle
Sniper
Heist
Netmon			YES
Sauna
Resolute