Practice Platforms¶
Reading theory won't make you a better security professional
Breaking things will
These platforms give you legal , safe environments to develop skills without getting sued or arrested
Hack The Box¶
The gold standard for offensive security labs
What it offers: * Active machines — regular releases , weekly reset * Retired machines — huge library with writeups * Pro Labs — enterprise network simulations * Fortress — long-form challenge chains * Academy — structured learning (paid)
# Getting started on HTB
# 1. Connect via VPN (download .ovpn from your profile)
sudo openvpn htb-eu-free.ovpn
# 2. Verify connection
ping 10.10.10.1
# 3. Start with easy Linux machines first
# Lame , Devel , Beep — classic starters
HTB tips: * Start with easy Linux boxes , not Windows * Read IppSec's walkthroughs AFTER you've spent real time trying * The forums have spoiler tags — use them responsibly * Don't ask for flags in Discord — you'll get roasted
TryHackMe¶
More structured , more beginner-friendly than HTB
Key rooms for beginners: * Linux Fundamentals — if you need terminal practice * Web Hacking Fundamentals — web recon to exploitation * OWASP Top 10 — the most common vulns , hands-on * Advent of Cyber — annual event , great for newbies * Pre-Security Path — the absolute basics
THB tips: * The learning paths are well-structured — follow them in order * Rooms are available without subscription (limited) * Subscribe for a month , crush everything , then cancel
CTF Platforms¶
Capture The Flag competitions — timed hacking challenges
CTFtime¶
The calendar for all CTF competitions worldwide
# Bookmark this — it's your CTF schedule
# https://ctftime.org/
PicoCTF¶
Best beginner CTF , run by Carnegie Mellon
- Educational challenges with hints
- Categories: web , crypto , binary , forensics
- Runs yearly , challenges stay up after the event
OverTheWire¶
Wargames — SSH-based challenges that teach specific skills
# Bandit — Linux command line basics (start here)
ssh bandit0@bandit.labs.overthewire.org -p 2220
# Password: bandit0
Bug Bounty Platforms¶
HackerOne — biggest platform , diverse programs , good for beginners Bugcrowd — structured submissions , public and private programs Intigriti — EU-focused , good for European residents YesWeHack — French platform , growing rapidly Open Bug Bounty — no monetary rewards , good for building a report portfolio
# Finding beginner-friendly programs:
# - Filter by "VDP" (Vulnerability Disclosure Program) — no pay but good practice
# - Filter by "low" or "medium" severity scope
# - Look for programs with "informational" severity accepted
# - Avoid programs that require extensive setup for low payouts
Lab Builders¶
If you want to practice at home without subscriptions:
# VulnHub — vulnerable VM downloads (older but free)
wget https://download.vulnhub.com/dc/dc-1.zip
# Metasploitable 2 — intentionally vulnerable Linux VM
wget https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
# DVWA — damn vulnerable web app
git clone https://github.com/digininja/DVWA.git
Platform Comparison¶
| Platform | Cost | Difficulty | Best For |
|---|---|---|---|
| Hack The Box | $20/mo (VIP) | Hard | Realistic machines |
| TryHackMe | $10/mo (premium) | Easy-Med | Structured learning |
| PicoCTF | Free | Easy | Absolute beginners |
| CTFtime | Free | Varies | Competition experience |
| VulnHub | Free | Medium | Offline practice |
| HackerOne | Free | Medium | Real-world bounties |
The Golden Rule¶
One platform , three months , consistent daily practice
You'll learn more that way than jumping between 5 platforms in a month
Master one environment before expanding
A jack of all platforms is master of none