Recommended Boot2Root Machines

After some research I created this personal “to-do” list of recommended/famous/must-solve/you name it, Boot2Root machines from Vulnhub HTB and a few other sources mainly focused on OSCP preparation.

The list is NOT only about machines similar to OSCP but is focused on preparing for it.
It includes machines that are way easier or harder than OSCP but are worth solving as you will definitely learn something new from each one, practice and get more confident about your skills.
My suggestion is to solve at least 50 machines from Vulnhub & HTB before you dive for your OSCP exam.

While solving them don’t forget to avoid using Automatic exploitation tools such as SQLmap as the exam forbids them. (https://support.offensive-security.com/oscp-exam-guide/) and also try to avoid Metasploit as you are allowed to use it only on one machine in the exam and besides that doing it the manual way is always better for educational purposes.

 Resources   Labs   Important notes 
 Don’t forget to check these awesome courses focused specifically on OSCP prep. 

-> Udemy Practical Ethical Hacking

Most students struggle with Privilege Escalation : Check these awesome courses from Tib3rius and The Cyber Mentor on Udemy
https://www.udemy.com/course/linux-privilege-escalation/
https://www.udemy.com/course/windows-privilege-escalation/
https://www.udemy.com/course/windows-privilege-escalation-for-beginners/

 Also check the following links I have collected with useful OSCP related stuff. 

OSCP-Survival-Guide
TJnull’s Preparation Guide for PWK/OSCP
Github OSCP Prep
OSCP survival guide
Github OSCP Prep 2
Total OSCP guide
OSCP Basic notes
OSCP Fun Guide
Guide for OSCP with chapters
Newbie to OSCP
How to Pass OSCP Like Boss.
Passing OSCP – scund00r
OSCP useful resources and tools
OSCP Human Guide
How to pass the OSCP
A curated list of awesome OSCP resources
A reconnaissance tool made for the OSCP labs
HackTheBox OSCP-like Machines

 TryHackMe offers a great practical course specifically for OSCP preparation. 

The OSCP learning path is great for either pre-preperation prior to purchasing the OSCP course or to help re-consolidate your knowledge whilst following the official OSCP resources. It includes 18 boxes (for now) that also cover Windows Privilege Escalation and Buffer Overflow / Reversing topics that are kinda rare to find on Vulnuhub.
https://tryhackme.com/paths
Read my review here: https://emaragkos.gr/infosec-adventures/tryhackme-oscp-preparation-path-review/

 Virtual Hacking Labs (VHL) is an awesome way to practice for OSCP. 

Besides the awesome lab with more than 40 realistic boxes, you will get a 370+ page courseware that is one of the best resources I have found out there.
Read my review here: https://emaragkos.gr/infosec-adventures/virtual-hacking-labs-review-oscp-prep/

 All OSCP-similar boxes (Vulnhub – HTB) are confirmed by NetSecFocus
Latest OSCP-similar confirmed boxes update: (March 2020). 

Vulnhub Linux Machines

NameDifficultyCompletedOSCP-prep ConfirmedShort Notes (No big spoilers)Recommended writeup
RICKdiculouslyEasy 1EasyYESYESReally CTFish, Flags, Enumeration, Web, RCE, Bruteforce, Stego, Fun to solve
https://emaragkos.gr/vulnhub-writeups/rickdiculouslyeasy-1-vulnhub-walkthrough/
pWnOS: 2.0 (Pre-Release)EasyYESYESRealistic, Web, Enumeration, Easy SQLihttps://medium.com/infosec-adventures/pwnos-2-0-walkthrough-fc2e4ef1ad55
SickOs: 1.1EasyYESCreator mentions that "This vm is very similar to labs I faced in OSCP." Personally I found it pretty easy compared to other machines that mention the same thing. CTFish, Enumeration, Web, Not really original except the proxy thing (no spoilers). https://www.youtube.com/watch?v=kkHYPRmS4kw
SickOs: 1.2EasyYES
Dina: 1.0.1EasyYESYESWeb, Not really originalhttps://emaragkos.gr/vulnhub-writeups/dina-101-vulnhub-walkthrough/
LazySysAdmin 1.0EasyYESCTFish, Flags, Web, SMBhttps://emaragkos.gr/vulnhub-writeups/lazysysadmin-1-0-vulnhub-walkthrough/
JIS-CTFEasyYESNot really original, Poor challenges, Bad English, CTFish, Flags, Web, Enumerationhttps://medium.com/@w3rallmachines/jis-ctf-vulnupload-vulnhub-walkthrough-b33ba57b2be0
Stapler: 1EasyYESYESCTFish, Flags, Enumeration, Bruteforce, Web, Rabbit Holeshttps://www.mrb3n.com/?p=81
unknowndevice64: 1EasyYESCTFish, Web, Stego, Bruteforce, Web, Rabbit Holes, Restricted shellhttps://www.hackingarticles.in/unknowndevice64-1-vulnhub-lab-walkthrough/
NullByte: 1EasyYESYESCTFish, Web, Enum, Stego, Fuzzing, SQLi, Interesting Priv Eschttps://www.hackingarticles.in/hack-nullbyte-vm-ctf-challenge/
billu: b0xEasyYES
billu: b0x 2EasyYESEnumeration, Web, CVE, Common easy priv eschttps://www.hackingarticles.in/hack-the-billu-b0x-2-vm-boot-to-root/
pluck: 1EasyYESRealistic, Web, LFI, Outdated software, Not that easy, I would rate mediumhttps://mrh4sh.github.io/pluck-solution
Toppo: 1EasyYESYESWeb, Enumeration, Common Priv Esc, Really easy and simple boxhttps://medium.com/@ikuamike/toppo-1-vulnhub-vm-writeup-6ef37586345e
g0rmint: 1Easy
MisdirectionEasyYESWeb, Enumeration, Common Priv Esc, Easy and simple boxhttps://purpl3f0xsec.tech/2019/10/04/Vulnhub-misdirection.html
Hackme 1EasyYESYESReally really really easy box, Web, Enumeration, Easy SQLihttps://www.hackingarticles.in/hackme-1-vulnhub-walkthrough/
Hackademic: RTB1EasyYESRealistic, Really Outdated software, Enumeration, Web, Common Priv Eschttps://chousensha.github.io/blog/2016/07/18/pentest-lab-hackademic-rtb1/
Tr0ll: 1EasyYESReally CTFish, Rabbit Holes, Trolling, Enumeration, Web, Trolling again, Basic Priv Eschttps://www.sw1tch.net/2014/08/16/walkthrough-for-tr0ll-1/
Kioptrix: Level 1 (#1)EasyYESYESMeh, not really originalhttps://emaragkos.gr/vulnhub-writeups/kioptrix-level-1-vulnhub-walkthrough/
Kioptrix: Level 1.1 (#2)EasyYESYESWeb, SQLi, RCEhttps://www.abatchy.com/2016/12/kioptrix-2-walkthrough-vulnhub
Kioptrix: Level 1.2 (#3)EasyYESYESEnumeration, Web, CVE, SQLi, RCE, Common priv eschttps://www.abatchy.com/2016/12/kioptrix-3-walkthrough-vulnhub
Kioptrix: Level 1.3 (#4)EasyYESYESEnumeration, Web, SQLi, Restricted shell, Common priv eschttps://jhalon.github.io/vulnhub-kioptrix4/
Kioptrix: 2014 (#5)EasyYESYESWeb, Enumeration, FreeBSD, CVE, LFI, RCE, Common priv eschttps://www.abatchy.com/2017/01/kioptrix-2014-5-walkthrough-vulnhub
Tr0ll: 2MediumNO (I tried, not ready yet, BOF)YESKinda stupid CTFish, Rabbit Holes, Trolling, Enumeration, Web, Trolling again, BOF Priv Eschttps://www.doyler.net/security-not-included/tr0ll-2-walkthrough-you-gotta-pay-the-troll-toll
DeRKnStiNK 1MediumYESYESCTFish, Flags, Webhttps://emaragkos.gr/vulnhub-writeups/vulnhub-derknstink-1-walkthrough/
covfefe: 1MediumYESCTFish, Flags, Enumeration, Bruteforce, Interesting noob friendly intro to BOFhttps://emaragkos.gr/vulnhub-writeups/vulnhub-covfefe-walkthrough/
FristiLeaks: 1.3MediumYESYESCTFish, Enumeration, Web, Cryptography, Interesting PrivEschttps://5h4d0wb0y.github.io/2017-04-10-fristileaks/
HackInOS: 1MediumYESYESAwesome machine, Original, Web, Coding, Fuzzing, Bruteforce, Interesting PrivEsc, Pivotinghttps://www.hackingarticles.in/hackinos1-vulnhub-lab-walkthrough/
https://pentestmafia.github.io/Vulnhub/writeup/hackinos1.html
Lord Of The Root: 1.0.1MediumNO (I tried, not ready yet)YESAwesome machine, Original, Enumeration, Port Knocking, Web, Multiple ways for PrivESC with Advanced ASLR BOF or MYSQLhttps://barnyserver.com/ctf/2018/03/ctf-lord-of-the-root-1-0-1/
Mr-Robot: 1MediumYESYESCTFish, Flags, Enumeration, Bruteforce, Interesting PrivEschttps://nikolaskama.me/mr-robot-1-writeup/
SkyTower: 1MediumYESYESCTFish, Enumeration, Web, SQLi filtering, Proxyhttps://highon.coffee/blog/skytower-walkthrough/
Tommy Boy: 1MediumNO (Extremely CTF-ish, got bored, gave up and just read a writeup) YESExtremely CTF-ish, A lot of enumeration, Bruteforce, Web, Rabbit Holeshttps://g0blin.co.uk/tommy-vulnhub-writeup/
zico2: 1MediumYESYESCTFish, Enumeration, Web, LFI, CVEhttps://www.hackingarticles.in/hack-zico2-vm-ctf-challenge/
W1R3S: 1.0.1Medium
GoldenEye: 1MediumYESYESEnumeration, Bruteforce, Really CTFish, Interesting WebApp Exploitation, Typical PrivEsc with a few catches.http://www.anonhack.in/2018/07/goldeneye-1-walkthrough-vulnhub-vulnerable-machine/
W34kn3ss: 1MediumYESYESEnumeration, Web, CVE, Weak Encryption, Interesting PrivEschttps://www.hackingarticles.in/w34kn3ss-1-vulnhub-lab-walkthrough/
Bob: 1.0.1MediumYESYESEnumeration, Web, Command Injection, Pretty chaotic path to priv esc that in the end is just commonhttps://medium.com/@falconspy/bob-1-0-1-vulnhub-walkthrough-c0f61d3380d1
Hackademic: RTB2MediumYESRealistic, Really Outdated software, Enumeration, Web, SQLi, Port Knocking, Common Priv Eschttps://www.hackingarticles.in/hack-the-hackademic-rtb2-boot2root/
symfonos: 1MediumYESYESAwesome box, Highly recommended, Web, SMB, SMTP, LFI to RCE, Typical priv esc https://www.hackingarticles.in/symfonos1-vulnhub-walkthrough/
symfonos: 2MediumYESYESAwesome box, Highly recommended, Web, SMB, Pivoting, CVE, Typical priv esc https://0x23b.github.io/posts/vulnhub/2019-08-09-vulnhub_symfonos_2_writeup/
symfonos: 3MediumYESYESAwesome box, Highly recommended, Web, Enumeration, Shellshock, Sniffinghttps://blog.mzfr.me/vulnhub-writeups/2019-07-20-symfonos3
symfonos: 4MediumYES
symfonos: 5MediumYES
Super Mario Host: 1.0.1MediumPivoting
PwnlabMediumYES
Temple of DoomMediumYES
Web Developer 1MediumYES
Escalete_Linux 1MediumYES
DC6MediumYES
DC9MediumYESAwesome box, Web, SQLi, LFI, Port Knocking, Bruteforcing, Interesting Priv Eschttps://www.youtube.com/watch?v=_Aa8125CQ0g
The Necromancer: 1Hard
HackLAB: VulnixHardNO (I tried, not ready yet)YESFocuced on enumeration, Many ports, Interesting and more advanced enumeration than most of the machines, Requires solid understanding of Linuxhttps://www.rebootuser.com/?p=988
WinterMute: 1HardYES
Pegasus: 1HardNO (I tried, not ready yet)YESOriginal, Web, Enumeration, BOFhttps://g0blin.co.uk/pegasus-vulnhub-writeup/
Prime 1HardYES
Breach: 1HardYES
Breach: 2.1HardYESYESIndeed a difficult box, CTFish, Multiple steps for rooting it, Getting shell with XSS, I must say I didn't really enjoy it because it had many guessing partshttps://reedphish.wordpress.com/2016/10/16/breach-2-1-walkthrough/
Breach: 3.0.1HardYES
Sokar: 1
SolidState: 1MediumYESYESWeb, SMPT, CVE, rbash, Common priv esc with a few twistshttps://0x00sec.org/t/htb-solidstate-write-up/5129
OwlNest: 1.0.2
digitalworld.local: MERCY v2YES
digitalworld.local: JOY
YES
digitalworld.local: BRAVERY
YES
digitalworld.local: DEVELOPMENT
YES
Brainpan: 1NO (I tried, not ready yet)YES
Brainpan: 2
Brainpan: 3
myHouse7: 1
Tempus Fugit: 1
Kvasir: IPivoting
VulnOS 2YES
Pinkys Palace v1YES
Pinkys Palace v2YES
Sar 1EasyYESWeb, CVE, RCE, Common Priv Esc
Djinn 1
EVM 1
Prime 1YES
Nebula YES

Note: HTB machines are categorized by platform Windows/Linux and are sorted by difficulty. OSCP-like machines are reported by users to usually be bellow 5 in the HTB difficulty scale.

 IppSecs’ videos categorized by OS and difficulty! 

 Search IppSecs’ videos context by text! 

HackTheBox Linux Machines

NameDifficulty (HTB rating)CompletedOSCP-prep ConfirmedShort Notes (No spoilers)Skills RequiredSkills LearnedRecommended writeup
Lame2.7YESYESLame is a beginner level machine, requiring only one exploit to obtain root access. It was the first
machine published on Hack The Box and was often the first machine for new users prior to its
retirement.
● Basic knowledge of Linux
● Enumerating ports and services
● Identifying vulnerable services
● Exploiting Samba
https://www.youtube.com/watch?v=Ru8YxARNS7M
Bashed3.5YESYESBashed is a fairly easy machine which focuses mainly on fuzzing and locating important files. As
basic access to the crontab is restricted.
● Basic knowledge of Linux
● Enumerating ports and services
● Basic web fuzzing techniques
● Locating recently modified files
https://www.youtube.com/watch?v=2DqdPcbYcy8
Nibbles3.7YESYESNibbles is a fairly simple machine, however with the inclusion of a login blacklist, it is a fair bit
more challenging to find valid credentials. Luckily, a username can be enumerated and guessing
the correct password does not take long for most.
● Basic knowledge of Linux
● Basic understanding of web
● Enumerating web applications
● Guessing probable passwords
enumeration techniques
● Bypassing login rate limiting
● Exploiting NOPASSWD
https://www.youtube.com/watch?v=s_0GcRGv6Ds
Mirai3.8YESMirai demonstrates one of the fastest-growing attack vectors in modern times; improperly
configured IoT devices. This attack vector is constantly on the rise as more and more IoT devices
are being created and deployed around the globe, and is actively being exploited by a wide
variety of botnets. Internal IoT devices are also being used for long-term persistence by malicious
actors.
● Intermediate knowledge of Linux
● Enumerating ports and services
● Basic knowledge of the Mirai botnet
● Identifying an IoT device
● Forensic file recovery
https://www.youtube.com/watch?v=SRmvRGUuuno
Shocker3.8YESYESShocker, while fairly simple overall, demonstrates the severity of the renowned Shellshock
exploit, which affected millions of public-facing servers.
● Basic knowledge of Linux
● Exploiting NOPASSWD
● Exploiting shellshock
● Enumerating ports and services
https://www.youtube.com/watch?v=IBlTdguhgfY
Beep3.9YESYESBeep has a very large list of running services, which can make it a bit challenging to find the
correct entry method. This machine can be overwhelming for some as there are many potential
attack vectors. Luckily, there are several methods available for gaining access.
● Basic knowledge of Linux
● Enumerating ports and services
● Web-based fuzzing
● Identifying known exploits
● Exploiting local file inclusion
vulnerabilities
https://www.youtube.com/watch?v=XJmBpOd__N8
Sense3.9YES
Poison3.9YES
Sunday4.1YES
Valentine4.2YES
Solidstate4.3YES
Popcorn4.3
Cronos4.4YES
Haircut4.7
Nineveh5.4YES
Node6.2YES
TartarSauce6.2YES
Brainfuck6.8YES
Kotarak6.9
IrkedYES
FriendzoneYES
SwagshopYES
NetworkedYES
JarvisYES
OctoberYES
FrolicYES
LaCasaDePapelYES
HawkYES
MagicYES

HackTheBox Windows Machines

NameDifficulty (HTB rating)CompletedOSCP-prep ConfirmedShort Notes (No spoilers)Skills RequiredSkills LearnedRecommended writeup
Legacy2.4YESYESLegacy is a fairly straightforward beginner-level machine which demonstrates the potential
security risks of SMB on Windows. Great place to start even if this is your first machine ever. As the name says is about a Legacy OS and a good old rockstar of exploits, the infamous ms08_067_netapi.
● Basic knowledge of Windows
● Enumerating ports and services
● Identifying vulnerable services
● Exploiting SMB
https://www.youtube.com/watch?v=wOeYLZazLGI
Blue2.5YESYESA really simple machine that shows the power of ms17_010_eternalblue. Another rockstar exploit that you should definitely know how to handle. Nothing fancy here but still a really nice machine for beginners. ● Basic knowledge of Windows
● Enumerating ports and services
● Identifying Windows targets using SMB
● Exploit modification (optional)
https://www.youtube.com/watch?v=YRsfX6DW10E
Jerry2.9YESYESAlthough Jerry is one of the easier machines on Hack The Box, it is realistic as Apache Tomcat is
often found exposed and configured with common or weak credentials. Simple machine, Basic enumeration, Introduction to msfvenom, Easy privsec
● Basic Python/Ruby etc. or familiarity
with web brute force attack tools
● Basic script debugging
● Custom war file payload creation
● SILENTTRINITY post-exploitation
framework installation and usage
(courtesy of ​ IppSec Jerry video)
https://www.youtube.com/watch?v=PJeBIey8gc4
Granny3.6YESYESGranny, while similar to Grandpa, can be exploited using several different methods. The intended
method of solving this machine is the widely-known Webdav upload vulnerability.
● Basic knowledge of Windows
● Enumerating ports and services
● Identifying known vulnerabilities
● Identifying stable processes
● Basic Windows privilege escalation
techniques
https://www.youtube.com/watch?v=ZfPVGJGkORQ
Grandpa3.7YESYESGrandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploited
CVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousands
of IIS servers around the globe when it became public knowledge.
● Basic knowledge of Windows
● Enumerating ports and services
● Identifying known vulnerabilities
● Identifying stable processes
● Basic Windows privilege escalation
techniques
https://www.youtube.com/watch?v=ZfPVGJGkORQ
Optimum3.7YESYESOptimum is a beginner-level machine which mainly focuses on enumeration of services with
known exploits. Both exploits are easy to obtain and have associated Metasploit modules,
making this machine fairly simple to complete.
● Basic knowledge of Windows
● Enumerating ports and services
● Identifying vulnerable services
● Identifying known exploits
● Basic Windows privilege escalation
techniques
https://www.youtube.com/watch?v=kWTnVBIpNsE
Devel3.7YESYESDevel, while relatively simple, demonstrates the security risks associated with some default
program configurations. It is a beginner-level machine which can be completed using publicly
available exploits.
● Basic knowledge of Windows
● Enumerating ports and services
● Identifying vulnerable services
● Exploiting weak credentials
● Basic Windows privilege escalation
techniques
https://www.youtube.com/watch?v=2LNyAbroZUk
Chatterbox4.0YES
Bounty4.8YES
Bastard5.0YES
Jeeves5.0YES
Silo5.2YES
Reel6.1
Bart6.3
Tally6.5
ArcticYES
ConcealYES
ForestYES
BankRobberYES
Active
Mantis
Sizzle
Sniper
Heist
NetmonYES
Sauna
Resolute