43-Machine VulnHub Challenge — Series Plan, Outcomes & Learning Roadmap
I collected a focused set of 43 VulnHub machines that mirror OSCP-style labs and real-world misconfigurations. This page is the public plan: sequence, difficulty, required skillsets, and expected outcomes. I will solve them in order, publish a write-up for each, and keep compact, reusable notes for recruiters and peers.
What this challenge will teach me — outcomes & takeaways
- Design reproducible recon pipelines (netdiscover, nmap, gobuster, custom Python).
- Exploit common web vulnerabilities (SQLi, RCE, file upload, LFI/RFI).
- Escalate privileges on Linux (SUID, cron, NFS, LXD/Docker, kernel vectors).
- Attack Windows/AD environments (enumeration, Kerberos, persistence).
- Use and author offensive tooling (Metasploit, custom Python modules).
- Write professional remediation notes for ops teams.
Publishing Method
- Short battle-log summary.
- Full write-up with sanitized screenshots.
- Custom tools or scripts developed per machine.
Note: Destructive payloads will not be published. Focus is on learning, not weaponization.
Series Sequence — Easy → Medium → Hard
Ordered learning path emphasizing skill progression and OSCP-style practice.
| # | Machine | Difficulty | Key Skills |
|---|---|---|---|
| 1 | 02-Breakout | Easy | nmap, basic-priv-esc, web |
| 2 | Geisha | Easy | web, RCE, recon |
| 3 | Billu_b0x | Easy | web, php, file-include |
| 4 | Kioptrix Level 2 (original) | Easy | web, suid, enumeration |
| 5 | Kioptrix Level 2 (update) | Easy | web, lpe |
| 6 | Kioptrix4 | Medium | web, lpe, kernel |
| 7 | Hacksudo-search | Easy | web, enumeration, recon |
| 8 | hacksudoLPE | Medium | lpe, cron, suid |
| 9 | hacksudo-ProximaCentauri | Medium | web, RCE, nfs |
| 10 | hacksudo-FOG | Medium | web, tomcat, RCE |
| 11 | HacksudoAliens | Medium | web, LXD, containers |
| 12 | hacksudo-Thor | Medium | web, priv-esc |
| 13 | Tr0ll | Easy | web, recon |
| 14 | doubletrouble | Medium | web, auth-bypass |
| 15 | Hackathon2 | Easy | recon, web |
| 16 | Thales | Medium | web, crypto-intro |
| 17 | symfonos1 | Easy | web, php |
| 18 | symfonos2 | Medium | web, LPE |
| 19 | symfonos4 | Medium | web, container |
| 20 | Brainpan | Medium | web, lpe, recon |
| 21 | Hackers-Blog | Easy | wordpress, recon |
| 22 | Machine_Matrix | Hard | mixed, forensics, lpe |
| 23 | VulnOSv2 | Medium | varied, web, lpe |
| 24 | escape_room | Easy | puzzle, recon |
| 25 | temple-of-DOOM | Hard | kernel, exploit-dev |
| 26 | Cherry | Medium | web, RCE |
| 27 | Deathnote | Hard | AD, complex |
| 28 | Machine_Matrix (zip) | Hard | forensics, reverse |
| 29 | Vulnix | Medium | web, suid |
| 30 | jangow-01 | Easy | django, web |
| 31 | scarecrow | Easy | web, recon |
| 32 | tinysploitARM | Hard | arm, exploit-dev |
| 33 | FristiLeaks | Medium | web, info-leak |
| 34 | Wintermute | Medium | web, lpe |
| 35 | kp_1 | Easy | intro, recon |
| 36 | zico2 | Medium | web, auth |
| 37 | FunBox | Easy | web, beginner |
| 38 | Stapler | Medium | suid, cron |
| 39 | ReadMe | Easy | recon, web |
| 40 | Billu_b0x (alt) | Easy | web, php |
| 41 | Dc-1 | Easy | web, php |
| 42 | DC-2 | Easy | web, php |
| 43 | DC-3 | Easy | web, php |