After some research I created this personal “to do” list of recommended / famous / must-solve Boot2Root machines from Vulnhub and HTB focused mainly on OSCP preparation.
The list is NOT only about machines similar to OSCP. It also includes machines that are way easier or harder than OSCP but are worth solving as and you will definitely learn something new from each one.
It is recommended to solve at least 50 machines from Vulnhub & HTB before you dive for your OSCP exam.
While solving them don’t forget to avoid using Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.) as the exam forbids them. (https://support.offensive-security.com/oscp-exam-guide/)
Also try to avoid Metasploit as you are allowed to use it only on one machine in the exam. So you should better avoid it while solving machines.
Don’t forget to check these two awesome courses focused specifically on OSCP prep.
Cybrary OSCP Course
INE OSCP Security Technology Course
Also check the following links I have collected with useful OSCP related stuff.
OSCP-Survival-Guide
TJnull’s Preparation Guide for PWK/OSCP
Github OSCP Prep
OSCP survival guide
Github OSCP Prep 2
Total OSCP guide
OSCP Basic notes
Newbie to OSCP
How to Pass OSCP Like Boss.
Passing OSCP – scund00r
OSCP useful resources and tools
OSCP Human Guide
How to pass the OSCP
A curated list of awesome OSCP resources
A reconnaissance tool made for the OSCP labs
HackTheBox OSCP-like Machines
PS: HTB machines are categorized by platform Windows/Linux and are sorted by difficulty. OSCP-like machines are reported by users to usually be bellow 5 in the HTB difficulty scale.
Vulnhub Linux Machines
| Name | Difficulty (My rating) | Completed | Short Notes (No spoilers) | Recommended writeup |
|---|---|---|---|---|
| DeRKnStiNK 1 | Easy - Beginner | YES | CTFish, Flags, Web | https://emaragkos.gr/vulnhub-writeups/vulnhub-derknstink-1-walkthrough/ |
| RICKdiculouslyEasy 1 | Easy - Beginner | YES | Really CTFish, Flags, Enumeration, Web, RCE, Bruteforce, Stego, Fun to solve | https://emaragkos.gr/vulnhub-writeups/rickdiculouslyeasy-1-vulnhub-walkthrough/ |
| covfefe: 1 | Easy - Beginner | YES | CTFish, Flags, Enumeration, Bruteforce, Interesting noob friendly intro to BOF | https://emaragkos.gr/vulnhub-writeups/vulnhub-covfefe-walkthrough/ |
| Dina: 1.0.1 | Easy - Beginner | YES | Web, Not really original | https://emaragkos.gr/vulnhub-writeups/dina-101-vulnhub-walkthrough/ |
| LazySysAdmin 1.0 | Easy - Beginner | YES | CTFish, Flags, Web, SMB | https://emaragkos.gr/vulnhub-writeups/lazysysadmin-1-0-vulnhub-walkthrough/ |
| FristiLeaks: 1.3 | Easy - Beginner | YES | CTFish, Enumeration, Web, Cryptography, Interesting PrivEsc | https://5h4d0wb0y.github.io/2017-04-10-fristileaks/ |
| HackInOS: 1 | Intermediate | YES | OSCP-prep, Awesome machine, Original, Web, Coding, Fuzzing, Bruteforce, Interesting PrivEsc, Pivoting | https://ethicalhackers.club/hackinos-level-1-vulnhub-complete-walkthrough-guide/ |
| JIS-CTF | Extremely Easy | YES | Not really original, Poor challenges, Bad English, CTFish, Flags, Web, Enumeration | https://medium.com/@w3rallmachines/jis-ctf-vulnupload-vulnhub-walkthrough-b33ba57b2be0 |
| Lord Of The Root: 1.0.1 | Intermediate - Advanced | NO (I tried, not ready yet) | OSCP-prep, Awesome machine, Original, Enumeration, Port Knocking, Web, Multiple ways for PrivESC with Advanced ASLR BOF or MYSQL | https://barnyserver.com/ctf/2018/03/ctf-lord-of-the-root-1-0-1/ |
| Mr-Robot: 1 | Easy - Intermediate | YES | CTFish, Flags, Enumeration, Bruteforce, Interesting PrivEsc | https://nikolaskama.me/mr-robot-1-writeup/ |
| SkyTower: 1 | Easy - Intermediate | YES | CTFish, Enumeration, Web, SQLi filtering, Proxy | https://highon.coffee/blog/skytower-walkthrough/ |
| The Necromancer: 1 | ||||
| Sokar: 1 | ||||
| SolidState: 1 | ||||
| Stapler: 1 | Easy - Intermediate | YES | CTFish, Flags, Enumeration, Bruteforce, Web, Rabbit Holes | https://www.mrb3n.com/?p=81 |
| Tommy Boy: 1 | ||||
| HackLAB: Vulnix | Intermediate - Advanced | NO (I tried, not ready yet) | Focuced on enumeration, Many ports, Interesting and more advanced enumeration than most of the machines, Requires solid understanding of Linux | https://www.rebootuser.com/?p=988 |
| zico2: 1 | ||||
| WinterMute: 1 | ||||
| Pegasus: 1 | Intermediate | NO (I tried, not ready yet) | OSCP-prep, Original, Web, Enumeration, BOF | https://g0blin.co.uk/pegasus-vulnhub-writeup/ |
| Homeless: 1 | ||||
| pWnOS: 2.0 (Pre-Release) | ||||
| /dev/random: scream | ||||
| W1R3S: 1.0.1 | ||||
| pluck: 1 | ||||
| OwlNest: 1.0.2 | ||||
| GoldenEye: 1 | Intermediate | YES | OSCP-prep, Enumeration, Bruteforce, Really CTFish, Interesting WebApp Exploitation, Typical PrivEsc with a few catches. | http://www.anonhack.in/2018/07/goldeneye-1-walkthrough-vulnhub-vulnerable-machine/ |
| g0rmint: 1 | ||||
| W34kn3ss: 1 | ||||
| digitalworld.local: MERCY v2 | ||||
| digitalworld.local: BRAVERY | ||||
| Toppo: 1 | ||||
| Bob: 1.0.1 | ||||
| NullByte: 1 | ||||
| Lin.Security: 1 | ||||
| unknowndevice64: 1 | ||||
| Brainpan: 1 | NO (I tried, not ready yet) | |||
| Brainpan: 2 | ||||
| Brainpan: 3 | ||||
| Breach: 1 | ||||
| Breach: 2.1 | ||||
| Breach: 3.0.1 | ||||
| Hackademic: RTB1 | Easy - Beginner | YES | Realistic, Outdated software, Enumeration, Web, Common Priv Esc | https://chousensha.github.io/blog/2016/07/18/pentest-lab-hackademic-rtb1/ |
| Hackademic: RTB2 | ||||
| Kioptrix: Level 1 (#1) | Easy - Beginner | YES | Meh, not really original | https://emaragkos.gr/vulnhub-writeups/kioptrix-level-1-vulnhub-walkthrough/ |
| Kioptrix: Level 1.1 (#2) | Easy - Beginner | YES | Web, SQLi, RCE | https://www.abatchy.com/2016/12/kioptrix-2-walkthrough-vulnhub |
| Kioptrix: Level 1.2 (#3) | ||||
| Kioptrix: Level 1.3 (#4) | ||||
| Kioptrix: 2014 (#5) | ||||
| SickOs: 1.1 | Easy - Beginner | YES | Creator mentions that "This vm is very similar to labs I faced in OSCP." Personally I found it pretty easy compared to other machines that mention the same thing. CTFish, Enumeration, Web, Not really original except the proxy thing (no spoilers). | https://www.youtube.com/watch?v=kkHYPRmS4kw |
| SickOs: 1.2 | ||||
| billu: b0x | ||||
| billu: b0x 2 | ||||
| Tr0ll: 1 | Easy - Beginner | YES | Creator mentions that "Tr0ll was inspired by the constant trolling of the machines within the OSCP labs. " Personally I found it pretty easy compared to other machines that claim that are OSCP-like. CTFish, Enumeration, Web, Trolling, Basic Priv Esc | https://www.sw1tch.net/2014/08/16/walkthrough-for-tr0ll-1/ |
| Tr0ll: 2 |
Vulnhub Windows Machines
| Name | Difficulty (My rating) | Completed | Short notes (No Spoilers) | Recommended writeup |
|---|---|---|---|---|
| Bobby: 1 | ||||
| /dev/random: scream |
IppSecs’ videos categorized by OS and difficulty!
Search IppSecs’ videos context by text!
HackTheBox Linux Machines
| Name | Difficulty (HTB rating) | Completed | Short Notes (No spoilers) | Skills Required | Skills Learned | Recommended writeup |
|---|---|---|---|---|---|---|
| Lame | 2.7 | YES | Lame is a beginner level machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement. | ● Basic knowledge of Linux ● Enumerating ports and services | ● Identifying vulnerable services ● Exploiting Samba | https://www.youtube.com/watch?v=Ru8YxARNS7M |
| Bashed | 3.5 | YES | Bashed is a fairly easy machine which focuses mainly on fuzzing and locating important files. As basic access to the crontab is restricted. | ● Basic knowledge of Linux ● Enumerating ports and services | ● Basic web fuzzing techniques ● Locating recently modified files | https://www.youtube.com/watch?v=2DqdPcbYcy8 |
| Nibbles | 3.7 | YES | Nibbles is a fairly simple machine, however with the inclusion of a login blacklist, it is a fair bit more challenging to find valid credentials. Luckily, a username can be enumerated and guessing the correct password does not take long for most. | ● Basic knowledge of Linux ● Basic understanding of web | ● Enumerating web applications ● Guessing probable passwords enumeration techniques ● Bypassing login rate limiting ● Exploiting NOPASSWD | https://www.youtube.com/watch?v=s_0GcRGv6Ds |
| Mirai | 3.8 | YES | Mirai demonstrates one of the fastest-growing attack vectors in modern times; improperly configured IoT devices. This attack vector is constantly on the rise as more and more IoT devices are being created and deployed around the globe, and is actively being exploited by a wide variety of botnets. Internal IoT devices are also being used for long-term persistence by malicious actors. | ● Intermediate knowledge of Linux ● Enumerating ports and services ● Basic knowledge of the Mirai botnet | ● Identifying an IoT device ● Forensic file recovery | https://www.youtube.com/watch?v=SRmvRGUuuno |
| Shocker | 3.8 | YES | Shocker, while fairly simple overall, demonstrates the severity of the renowned Shellshock exploit, which affected millions of public-facing servers. | ● Basic knowledge of Linux ● Exploiting NOPASSWD | ● Exploiting shellshock ● Enumerating ports and services | https://www.youtube.com/watch?v=IBlTdguhgfY |
| Beep | 3.9 | YES | Beep has a very large list of running services, which can make it a bit challenging to find the correct entry method. This machine can be overwhelming for some as there are many potential attack vectors. Luckily, there are several methods available for gaining access. | ● Basic knowledge of Linux ● Enumerating ports and services | ● Web-based fuzzing ● Identifying known exploits ● Exploiting local file inclusion vulnerabilities | https://www.youtube.com/watch?v=XJmBpOd__N8 |
| Sense | 3.9 | |||||
| Poison | 3.9 | |||||
| Sunday | 4.1 | |||||
| Valentine | 4.2 | |||||
| Solidstate | 4.3 | |||||
| Popcorn | 4.3 | |||||
| Cronos | 4.4 | |||||
| Haircut | 4.7 | |||||
| Nineveh | 5.4 | |||||
| Node | 6.2 | |||||
| TartarSauce | 6.2 | |||||
| Brainfuck | 6.8 | |||||
| Kotarak | 6.9 |
HackTheBox Windows Machines
| Name | Difficulty (HTB rating) | Completed | Short Notes (No spoilers) | Skills Required | Skills Learned | Recommended writeup |
|---|---|---|---|---|---|---|
| Legacy | 2.4 | YES | Legacy is a fairly straightforward beginner-level machine which demonstrates the potential security risks of SMB on Windows. Great place to start even if this is your first machine ever. As the name says is about a Legacy OS and a good old rockstar of exploits, the infamous ms08_067_netapi. | ● Basic knowledge of Windows ● Enumerating ports and services | ● Identifying vulnerable services ● Exploiting SMB | https://www.youtube.com/watch?v=wOeYLZazLGI |
| Blue | 2.5 | YES | A really simple machine that shows the power of ms17_010_eternalblue. Another rockstar exploit that you should definitely know how to handle. Nothing fancy here but still a really nice machine for beginners. | ● Basic knowledge of Windows ● Enumerating ports and services | ● Identifying Windows targets using SMB ● Exploit modification (optional) | https://www.youtube.com/watch?v=YRsfX6DW10E |
| Jerry | 2.9 | YES | Although Jerry is one of the easier machines on Hack The Box, it is realistic as Apache Tomcat is often found exposed and configured with common or weak credentials. Simple machine, Basic enumeration, Introduction to msfvenom, Easy privsec | ● Basic Python/Ruby etc. or familiarity with web brute force attack tools | ● Basic script debugging ● Custom war file payload creation ● SILENTTRINITY post-exploitation framework installation and usage (courtesy of IppSec Jerry video) | https://www.youtube.com/watch?v=PJeBIey8gc4 |
| Granny | 3.6 | YES | Granny, while similar to Grandpa, can be exploited using several different methods. The intended method of solving this machine is the widely-known Webdav upload vulnerability. | ● Basic knowledge of Windows ● Enumerating ports and services | ● Identifying known vulnerabilities ● Identifying stable processes ● Basic Windows privilege escalation techniques | https://www.youtube.com/watch?v=ZfPVGJGkORQ |
| Grandpa | 3.7 | YES | Grandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploited CVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousands of IIS servers around the globe when it became public knowledge. | ● Basic knowledge of Windows ● Enumerating ports and services | ● Identifying known vulnerabilities ● Identifying stable processes ● Basic Windows privilege escalation techniques | https://www.youtube.com/watch?v=ZfPVGJGkORQ |
| Optimum | 3.7 | YES | Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete. | ● Basic knowledge of Windows ● Enumerating ports and services | ● Identifying vulnerable services ● Identifying known exploits ● Basic Windows privilege escalation techniques | https://www.youtube.com/watch?v=kWTnVBIpNsE |
| Devel | 3.7 | YES | Devel, while relatively simple, demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits. | ● Basic knowledge of Windows ● Enumerating ports and services | ● Identifying vulnerable services ● Exploiting weak credentials ● Basic Windows privilege escalation techniques | https://www.youtube.com/watch?v=2LNyAbroZUk |
| Chatterbox | 4.0 | |||||
| Bounty | 4.8 | |||||
| Bastard | 5.0 | |||||
| Jeeves | 5.0 | |||||
| Silo | 5.2 | |||||
| Reel | 6.1 | |||||
| Bart | 6.3 | |||||
| Tally | 6.5 |