Content

• Content
• Challenges
• Smartphones
• CTF’s
• SQL injection
• Cryptography
• Binary/Reverse
• Web
  • XSS
• BugBounty
• Other categories
• Setting up smth vulnerable

Challenges

Collections of vulnerable applications and systems:

• Penetration testing practice labs - vulnerable applications and systems - awesomness
• OWASP Vulnerable Web Applications Directory Project
• McAffee HacMe sites: Hacme Bank v2.0 (2006), Hacme Bank - Android v1.0, Hacme Books v2.0 (2006), Hacme Casino v1.0 (2006), Hacme Shipping v1.0 (2006), Hacme Travel v1.0 (2006)
• Vulnerable By Design (vulnhub.com) (64Base Boot2Root (разбор на хабре (RU))) (resources)
  checkup: Kioptrix, Holynyx, Nebula, Metasploitable, DVL (damn vulnerable linux), …

Wild-world oriented:

• pentestit lab (TEST LAB 11 (lab.pentestit.ru))
• hack the box
• exploit-exercises.com (some answers)
  Some wargames better to be solved in specific sequence: Nebula -> Protostar -> Fusion
• pentesterlab (majority is paid, but some are free)
• metasploitable 2
  metasploitable 3 (minimal windows disk size = 20Gb)
• pwn0.com (position in list ???)
• enigmagroup.org

Multidirectional:

• hacking-lab.com
• ringzer0team.com
• hackerdom
• shellterlabs.com
• Challenge Land
• ctf365.com - free for 30 days
• CTFLearn
• Zeromutarts CTF
• hack.me (for beginners)
• gameofhacks.com (for beginners)
• hellboundhackers.org (blackhats ?)
• try2hack.nl (one of the oldest sites)
• w3challs
• wechall.net
• hacksplaining
• vulnerability and attack labs
• Tasks from some CTF: bakery.p.myctf.ru, matrix.p.myctf.ru, blackhat.p.myctf.ru, checker.p.myctf.ru, cats.p.myctf.ru, hipe.p.myctf.ru, devil.p.myctf.ru, grut.p.myctf.ru, coderast.p.myctf.ru, paintmaster.p.myctf.ru, god.p.myctf.ru, chat.p.myctf.ru, java-dev.p.myctf.ru, venus.p.myctf.ru, blog.p.myctf.ru:8000
• ctf365.com
• freehackquest.com

Video courses:

• Learning Exploitation with Offensive Computer Security (Spring 2014 Lectures & Videos)
• Learning Exploitation with Offensive Computer Security 2.0 (2016)

Smartphones

• DVIA (Damn Vulnerable iOS App) - vulnerable iOS app
• dineshshetty/Android-InsecureBankv2 - vulnerable Android application
• ExploitMe Mobile Android Labs
• android crackme challenge - a collection of reverse engineering challenges for learning about the Android operating system and mobile security.

CTF’s

ucsb-seclab/ictf-framework - framework for running attack-defense ctf’s
ctf framework
pwning/docs - suggestions for running a ctf

An Introduction To CTFs

• ctftime.org
• ctf.forgottensec.com

Previous ctf tasks:

• PicoCTF - you still can solve tasks from previous years
• shell-storm.org
• hackerdom
• capture.thefl.ag
• isislab/CTF-Challenges (github)
• defcon20vm

Writeups:

• CTFs - collection of ctf writeups
• grocid/CTF - collection of ctf writeups
• michailvoronov (github)
• …, google, …

SQL injection

• sql-ex.ru
• SQLZOO
• RedTiger’s Hackit
• Audi-1/sqli-labs - SQLI labs to test error based, Blind boolean based, Time based (answers)
  skyblueee/sqli-labs-php7 - update sqli-labs sources to adapte to php7
• MySQL Error-Based Injection Game v2
• SQL Injection Ninja Testing Labs (challenges for various attack approaches)
• http://test.test-me.pp.ru/

Cryptography

• cryptopals - the cryptopals crypto challenges
• Mystery Twister C3

Binary/Reverse

• List of RE and pwn wargames

Tasks:

• OverTheWire - wargames

  Some wargames better to be solved in specific sequence: Leviathan -> Narnia -> Behemoth -> Utumno -> Maze -> Vortex/Semtex -> Drifter -> Blacksun

• pwnable.kr
• pwnable.tw
• root-me.org
• smashthestack.org - wargames
• io.smashthestack.org (io) - offline
• io.smashthestack.org:8064 (io64) - offline
• io.netgarage.org - wargame
• microcorruption
• reversing.kr
• CTF-workshop - challenges for binary exploitation workshop
• crackmes.de - archive
• forkbomb.ru
• www.hackthis.co.uk
• IOarm - wargame
• crackmes.us - offline
• reversing.be - offline - cracked?
• Tasteless challenges
• reversing.kr
• hackcenter.com (for newbies ?)

Half-teaching:

• shellphish/how2heap
• RPISEC/MBE - course (lectures + labs)
• RPISEC/Malware - course (lectures + labs)
• FuzzySecurity - tutorials to write exploits for windows (and linux)
• PrimalSecurity

• radare2 - radare 2 workshop

Web

OWASP Vulnerable Web Applications Directory Project

• hackthissite.org
• cure53, XSS Challenge wiki, Older Challenges and Write Ups - awesome list of challenges
• google-gruyere.appspot.com
• hunter2.com - paid training for groups

Vulnerable applications/iso:

• Damn Vulnerable NodeJS Application (DVNA) (OWASP Top 10 2017)
• OWASP Security Shepherd - web and mobile application security training platform
• bWapp
• OWASP mutillidae, OWASP Mutillidae II - web pentest practice application
• DVWA (damn vulnerable web application
• WebGoat OWASP WebGoat project - a deliberately insecure Web Application
• hackxor
• LAMPSecurity Training
• Peruggia
• vicnum

Contests:

• Web Application Security Quiz
• hack contest (by Beched) (обсуждение)
• ctf.infosecinstitute.com - solution

XSS

• XSS game
• alert(1) to win
• prompt(1) to win
• Home · cure53/XSSChallengeWiki Wiki

• alf.nu

  • return true to win
  • alert(1) to win
  • many other interesting tasks
• XSS Puzzle
• The Token Challenge
• hackvertor
• w.myftp.org

BugBounty

• The HackerOne
• BugCrowd (or other link) - list of bug bounty programs
• Synack
• bughunt
• bugsheet

Other categories

• spoj.com - programming challenges

Setting up smth vulnerable

• heartbleed