PentestGround, free pentesting labs

Preparing a lab for practicing pentest can take time. Depending of the vulnerable and attacker machines, you may need to download a vulnerable virtual machine, install it, fix eventual issues on VirtualBox or VMware, start services, maybe prepare the database, tools, proxies, certificates, etc… A list of these labs is available on They’re fun, useful, some of them are offline, others are online.


A simple alternative to use a few of them is to go to TryHackMe. You can find for example OWASP Juice ShopOWASP Mutillidae IIDVWA (Damn Vulnerable Web Application). You can execute them anytime, they’re free, but you need to create a TryHackMe account.

PentestGround by

If for some reason you don’t want to subscribe TryHackMe, I’ve just found a nice website with this kind of learning tools for pentesters, without subscription and instantaneously available. This website is PentestGround.

You’ll find a list of vulnerable machines with different technologies, web apps, a Redis server and APIs like REST API or GraphQL and their vulnerabilities.

PentestGround page made by showing the list of vulnerable systems available for practicing


If you click for example the first link for Damn Vulnerable Web Application, you’re directed to PentestGround’s instance which appears in a second and is ready to use.

DVWA homepage available on


You can also test a REST API by clicking the third link. A first page provides some technical detail and URL for this API.

vulnerable REST API homepage available on and showing technical specifications

If you click “Scan this API” bottom page, a quick walkthrough explains how to use PentestTools for testing the API without virtual machines or local tools and setup an authorization header. If you don’t have any account on this website, just subscribe here before testing the API.

Numbered list showing how to scan the vulnerable API and providing the authentication header

If you have your own virtual machines or (pen)testing tools locally installed , you can just launch Postman and Burp Suite.

You can now explore and hack each of them. Thanks to PentestTools for providing these free labs.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Creative Commons License CC BY-SA 4.0