After some research I created this personal “to do” list of recommended / famous / must-solve Boot2Root machines from Vulnhub and HTB focused mainly on OSCP preparation.
The list is NOT only about machines similar to OSCP. It also includes machines that are way easier or harder than OSCP but are worth solving as and you will definitely learn something new from each one. (If you are only interested in OSCP machines use CTRL+F “OSCP”).
It is recommended to solve at least 50 machines from Vulnhub & HTB before you dive for your OSCP exam.
While solving them avoid using Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.) as the exam forbids them. (https://support.offensive-security.com/oscp-exam-guide/)
Also try to avoid Metasploit as you are allowed to use it only on one machine in the exam. So you should better avoid it while solving machines.
PS: HTB machines are categorized by platform Windows/Linux and are sorted by difficulty. OSCP-like machines are reported by users to usually be bellow 5 in the HTB difficulty scale.
Vulnhub Linux Machines
| Name | Difficulty (My rating) | Completed | Short Notes (No spoilers) | Recommended writeup |
|---|---|---|---|---|
| DeRKnStiNK 1 | Easy - Beginner | YES | CTFish, Flags, Web | https://emaragkos.gr/vulnhub-writeups/vulnhub-derknstink-1-walkthrough/ |
| RICKdiculouslyEasy 1 | Easy - Beginner | YES | Really CTFish, Flags, Enumeration, Web, RCE, Bruteforce, Stego, Fun to solve | https://emaragkos.gr/vulnhub-writeups/rickdiculouslyeasy-1-vulnhub-walkthrough/ |
| covfefe: 1 | Easy - Beginner | YES | CTFish, Flags, Enumeration, Bruteforce, Interesting noob friendly intro to BOF | https://emaragkos.gr/vulnhub-writeups/vulnhub-covfefe-walkthrough/ |
| Dina: 1.0.1 | Easy - Beginner | YES | Web, Not really original | https://emaragkos.gr/vulnhub-writeups/dina-101-vulnhub-walkthrough/ |
| LazySysAdmin 1.0 | Easy - Beginner | YES | CTFish, Flags, Web, SMB | https://emaragkos.gr/vulnhub-writeups/lazysysadmin-1-0-vulnhub-walkthrough/ |
| FristiLeaks: 1.3 | Easy - Beginner | YES | CTFish, Enumeration, Web, Cryptography, Interesting PrivEsc | https://5h4d0wb0y.github.io/2017-04-10-fristileaks/ |
| HackInOS: 1 | Intermediate | YES | OSCP-prep, Awesome machine, Original, Web, Coding, Fuzzing, Bruteforce, Interesting PrivEsc, Pivoting | https://ethicalhackers.club/hackinos-level-1-vulnhub-complete-walkthrough-guide/ |
| JIS-CTF | Extremely Easy | YES | Not really original, Poor challenges, Bad English, CTFish, Flags, Web, Enumeration | https://medium.com/@w3rallmachines/jis-ctf-vulnupload-vulnhub-walkthrough-b33ba57b2be0 |
| Lord Of The Root: 1.0.1 | Intermediate - Advanced | NO (I tried, not ready yet) | OSCP-prep, Awesome machine, Original, Enumeration, Port Knocking, Web, Multiple ways for PrivESC with Advanced ASLR BOF or MYSQL | https://barnyserver.com/ctf/2018/03/ctf-lord-of-the-root-1-0-1/ |
| Mr-Robot: 1 | Easy - Intermediate | YES | CTFish, Flags, Enumeration, Bruteforce, Interesting PrivEsc | https://nikolaskama.me/mr-robot-1-writeup/ |
| SkyTower: 1 | Easy - Intermediate | YES | CTFish, Enumeration, Web, SQLi filtering, Proxy | https://highon.coffee/blog/skytower-walkthrough/ |
| The Necromancer: 1 | ||||
| Sokar: 1 | ||||
| SolidState: 1 | ||||
| Stapler: 1 | ||||
| Tommy Boy: 1 | ||||
| HackLAB: Vulnix | Intermediate - Advanced | NO (I tried, not ready yet) | Focuced on enumeration, Many ports, Interesting and more advanced enumeration than most of the machines, Requires solid understanding of Linux | https://www.rebootuser.com/?p=988 |
| zico2: 1 | ||||
| WinterMute: 1 | ||||
| Pegasus: 1 | Intermediate | NO (I tried, not ready yet) | OSCP-prep, Original, Web, Enumeration, BOF | https://g0blin.co.uk/pegasus-vulnhub-writeup/ |
| Homeless: 1 | ||||
| pWnOS: 2.0 (Pre-Release) | ||||
| /dev/random: scream | ||||
| W1R3S: 1.0.1 | ||||
| pluck: 1 | ||||
| OwlNest: 1.0.2 | ||||
| GoldenEye: 1 | Intermediate | YES | OSCP-prep, Enumeration, Bruteforce, Really CTFish, Interesting WebApp Exploitation, Typical PrivEsc with a few catches. | http://www.anonhack.in/2018/07/goldeneye-1-walkthrough-vulnhub-vulnerable-machine/ |
| g0rmint: 1 | ||||
| W34kn3ss: 1 | ||||
| digitalworld.local: MERCY v2 | ||||
| digitalworld.local: BRAVERY | ||||
| Toppo: 1 | ||||
| Bob: 1.0.1 | ||||
| NullByte: 1 | ||||
| Lin.Security: 1 | ||||
| unknowndevice64: 1 | ||||
| Brainpan: 1 | NO (I tried, not ready yet) | |||
| Brainpan: 2 | ||||
| Brainpan: 3 | ||||
| Breach: 1 | ||||
| Breach: 2.1 | ||||
| Breach: 3.0.1 | ||||
| Hackademic: RTB1 | Easy - Beginner | YES | Realistic, Outdated software, Enumeration, Web, Common Priv Esc | https://chousensha.github.io/blog/2016/07/18/pentest-lab-hackademic-rtb1/ |
| Hackademic: RTB2 | ||||
| Kioptrix: Level 1 (#1) | Easy - Beginner | YES | Meh, not really original | https://emaragkos.gr/vulnhub-writeups/kioptrix-level-1-vulnhub-walkthrough/ |
| Kioptrix: Level 1.1 (#2) | Easy - Beginner | YES | Web, SQLi, RCE | https://www.abatchy.com/2016/12/kioptrix-2-walkthrough-vulnhub |
| Kioptrix: Level 1.2 (#3) | ||||
| Kioptrix: Level 1.3 (#4) | ||||
| Kioptrix: 2014 (#5) | ||||
| SickOs: 1.1 | Easy - Beginner | YES | Creator mentions that "This vm is very similar to labs I faced in OSCP." Personally I found it pretty easy compared to other machines that mention the same thing. CTFish, Enumeration, Web, Not really original except the proxy thing (no spoilers). | https://www.youtube.com/watch?v=kkHYPRmS4kw |
| SickOs: 1.2 | ||||
| billu: b0x | ||||
| billu: b0x 2 | ||||
| Tr0ll: 1 | Easy - Beginner | YES | Creator mentions that "Tr0ll was inspired by the constant trolling of the machines within the OSCP labs. " Personally I found it pretty easy compared to other machines that claim that are OSCP-like. CTFish, Enumeration, Web, Trolling, Basic Priv Esc | https://www.sw1tch.net/2014/08/16/walkthrough-for-tr0ll-1/ |
| Tr0ll: 2 |
Vulnhub Windows Machines
| Name | Difficulty (My rating) | Completed | Short notes (No Spoilers) | Recommended writeup |
|---|---|---|---|---|
| Bobby: 1 | ||||
| /dev/random: scream |
IppSecs’ videos categorized by OS and difficulty!
HackTheBox Linux Machines
| Name | Difficulty (HTB rating) | Completed | Short Notes (No spoilers) | Recommended writeup |
|---|---|---|---|---|
| Lame | 2.7 | YES | https://www.youtube.com/watch?v=Ru8YxARNS7M | |
| Bashed | 3.5 | |||
| Nibbles | 3.7 | |||
| Mirai | 3.8 | YES | ||
| Shocker | 3.8 | YES | Pretty standard machine, Enumeration, Well known vulnerability (Shellshock), Easy priv esc | https://www.youtube.com/watch?v=IBlTdguhgfY |
| Beep | 3.9 | YES | Standard machine, Basic enumeration, Many ports, Common CVE, Many different ways to get in, Easy priv esc | https://www.youtube.com/watch?v=XJmBpOd__N8 |
| Sense | 3.9 | |||
| Poison | 3.9 | |||
| Sunday | 4.1 | |||
| Valentine | 4.2 | |||
| Solidstate | 4.3 | |||
| Popcorn | 4.3 | |||
| Cronos | 4.4 | |||
| Haircut | 4.7 | |||
| Nineveh | 5.4 | |||
| Node | 6.2 | |||
| TartarSauce | 6.2 | |||
| Brainfuck | 6.8 | |||
| Kotarak | 6.9 |
HackTheBox Windows Machines
| Name | Difficulty (HTB rating) | Completed | Short Notes (No spoilers) | Recommended writeup |
|---|---|---|---|---|
| Legacy | 2.4 | YES | Great place to start even if this is your first machine ever. As the name says is about a Legacy OS and a good old rockstar of exploits, the infamous ms08_067_netapi. | https://www.youtube.com/watch?v=wOeYLZazLGI |
| Blue | 2.5 | YES | A really simple machine that shows the power of ms17_010_eternalblue. Another rockstar exploit that you should definitely know how to handle. Nothing fancy here but still a really nice machine for beginners. | https://www.youtube.com/watch?v=YRsfX6DW10E |
| Jerry | 2.9 | YES | Simple machine, Basic enumeration, Introduction to msfvenom, Easy privsec | https://www.youtube.com/watch?v=PJeBIey8gc4 |
| Granny | 3.6 | |||
| Grandpa | 3.7 | |||
| Optimum | 3.7 | |||
| Devel | 3.7 | YES | Simple machine, Basic enumeration, default program configurations. beginner-level machine which can be completed using publicly available exploits. | https://www.youtube.com/watch?v=2LNyAbroZUk |
| Chatterbox | 4.0 | |||
| Bounty | 4.8 | |||
| Bastard | 5.0 | |||
| Jeeves | 5.0 | |||
| Silo | 5.2 | |||
| Reel | 6.1 | |||
| Bart | 6.3 | |||
| Tally | 6.5 |