Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

The Ultimate Guide to VulnHub Machines for Beginners: Master Network & Web Pentesting

Himanshu Bomble
InfoSec Write-ups
Published in
4 min readMar 1, 2025

Photo by Avi Richards on Unsplash

Introduction: Why VulnHub?

If you’re a beginner in Vulnerability Assessment and Penetration Testing (VAPT), you’ve probably asked:
“Where do I start?”

VulnHub provides a free and safe environment to practice real-world hacking skills. Whether you’re aiming to master Linux enumeration, web security, or CMS vulnerabilities, there’s a VulnHub machine for you.

In this guide, I’ve handpicked the best machines to help you build a solid VAPT foundation step by step.

Let’s dive in!

1. Network Security: Linux Enumeration & Exploitation

If you’re new to network pentesting, start with these Linux-based machines to develop skills in enumeration, privilege escalation, and exploitation.

Photo by ThisisEngineering on Unsplash

Beginner-Friendly Machines

DC-1 — Learn basic enumeration & privilege escalation.
Kioptrix: Level 1 — A classic beginner machine focusing on Linux services.
Basic Pentesting: 1 — Great for Linux enumeration & SSH exploitation.

Intermediate Machines

DC-2 — Builds on DC-1, teaching deeper enumeration techniques.
Stapler: 1 — Features multiple attack vectors (SSH, SMB, misconfigurations).
Empire: LupinOne — Learn network misconfigurations & Linux privilege escalation.

🛠 Tools to Use: Nmap, Gobuster, Nikto, LinPEAS, GTFOBins

2. Web Security: SQLi, LFI, RCE & Admin Takeover

Want to break into web security? These labs will teach you SQL Injection, Local File Inclusion (LFI), Remote Code Execution (RCE), and admin panel takeovers.

Photo by Bernd 📷 Dittrich on Unsplash

Beginner Machines

billu: b0x — Covers SQLi, RCE & file uploads.
FristiLeaks: 1.3 — Learn LFI & privilege escalation.
HA: Infinity Stones — Exploit SQLi, LFI, and RCE vulnerabilities.

Intermediate Machines

Sidney: 0.2 — Focuses on admin panel takeover & SQLi.
Thales: 1 — Learn advanced web pentesting techniques.
Deathnote: 1 — Exploit web-based misconfigurations to gain access.

🛠 Tools to Use: Burp Suite, SQLmap, WFuzz, Nikto, FFUF

3. CMS Security: Exploiting WordPress & Other CMS

CMS platforms (like WordPress, Joomla, and Drupal) are commonly targeted in real-world attacks. These machines help you exploit CMS vulnerabilities, outdated plugins, and misconfiguration.

Photo by Souvik Banerjee on Unsplash

Best CMS Exploitation Machines

VulnCMS: 1Great for beginners, covering CMS enumeration.
Mr. Robot: 1 — Inspired by the TV show Mr. Robot; focuses on WordPress security.
DC: 6 — A CMS-based challenge requiring enumeration & privilege escalation.
Droopy: v0.2 — Exploits a lesser-known CMS with multiple vulnerabilities.
Pinky’s Palace: v1 — A multi-vector CMS exploitation challenge.

🛠 Tools to Use: WPScan, Droopescan, Joomscan, Nikto

4. Advanced Machines: Take Your Skills to the Next Level

Once you’re comfortable with basic and intermediate labs, challenge yourself with these harder machines to improve lateral movement, privilege escalation, and advanced enumeration.

Photo by Max Duzij on Unsplash

Hardest Machines on VulnHub (above intermediate)

Empire: Breakout — Learn advanced privilege escalation techniques.
doubletrouble: 1 — Features multiple misconfigurations leading to root access.
Vikings: 1 — Covers various attack vectors & lateral movement.
Hacksudo: FOG — Mix of web & Linux privilege escalation.
Hacksudo: Thor — Explores unique privilege escalation techniques.

🔥 Pro Tip: Don’t just exploit the machines — document your process. Write reports, post write-ups, or share your journey on Medium/LinkedIn!

Next Steps: How to Progress in VAPT?

1️⃣ Start with:

  • DC-1, Kioptrix Level 1, Basic Pentesting: 1 (for Linux enumeration & privilege escalation).
  • billu: b0x, FristiLeaks, HA: Infinity Stones (for web pentesting).

2️⃣ Move to Intermediate Machines:

  • DC: 6, Mr. Robot, Pinky’s Palace (for CMS exploitation).

3️⃣ Take on the Advanced Challenges:

  • Empire: Breakout, Hacksudo: Thor, Vikings: 1 (for hardcore pentesting skills).

🎯 Final Thoughts: Why You Should Try These Machines

Builds Real-World Skills — Learn what’s used in actual pentesting engagements.
Prepares You for Certifications — Helps in CEH, OSCP, PNPT, eJPT, and more.
Enhances Your Resume — Write CTF write-ups & showcase them to employers.

🔥 Ready to become a VAPT expert? Start hacking, document your findings, and share your progress with the community!

📢 If you found this helpful, share it with other cybersecurity learners! Let’s grow together in the infosec world!

That’s all for now, folks! If you found this guide helpful, drop a comment, share it, and let’s keep hacking!

🔗 Connect with me on: LinkedIn

Vulnhub
Penetration Testing
Cybersecurity
Ethical Hacking
Hacking

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

56K Followers
Last published 4 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Himanshu Bomble
Himanshu Bomble
Follow

Written by Himanshu Bomble

41 Followers
20 Following

Welcome to my corner of Medium! Join me on a thought-provoking journey where I share insights on 🌐 Cybersecurity | 📚 Book Reviews | ✨ Exploring Digital World

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams