{"id":92,"date":"2024-03-29T07:24:14","date_gmt":"2024-03-29T07:24:14","guid":{"rendered":"https:\/\/cryptrz.org\/wordpress\/?p=92"},"modified":"2025-05-14T05:49:32","modified_gmt":"2025-05-14T03:49:32","slug":"pentestground-free-pentesting-labs","status":"publish","type":"post","link":"https:\/\/cryptrz.org\/wordpress\/2024\/03\/29\/pentestground-free-pentesting-labs\/","title":{"rendered":"PentestGround, free pentesting labs"},"content":{"rendered":"\n

Preparing a lab for practicing pentest can take time. Depending of the vulnerable and attacker machines, you may need to download a vulnerable virtual machine, install it, fix eventual issues on VirtualBox<\/strong> or VMware<\/strong>, start services, maybe prepare the database, tools, proxies, certificates, etc\u2026 A list of these labs is available on owasp.org<\/a>. They\u2019re fun, useful, some of them are offline, others are online.<\/p>\n\n\n\n

TryHackMe<\/h2>\n\n\n\n

A simple alternative to use a few of them is to go to TryHackMe<\/a>. You can find for example OWASP Juice Shop<\/a>, OWASP Mutillidae II<\/a>, DVWA (Damn Vulnerable Web Application)<\/a>. You can execute them anytime, they\u2019re free, but you need to create a TryHackMe<\/strong> account.<\/p>\n\n\n\n

PentestGround by pentest-tools.com<\/a><\/h2>\n\n\n\n

If for some reason you don\u2019t want to subscribe TryHackMe<\/strong>, I\u2019ve just found a nice website with this kind of learning tools for pentesters, without subscription and instantaneously available. This website is PentestGround<\/a>.<\/p>\n\n\n\n

You\u2019ll find a list of vulnerable machines with different technologies, web apps, a Redis<\/strong> server and APIs like REST API<\/strong> or GraphQL<\/strong> and their vulnerabilities.<\/p>\n\n\n\n

\"PentestGround<\/figure>\n\n\n\n

DVWA<\/h2>\n\n\n\n

If you click for example the first link<\/a> for Damn Vulnerable Web Application<\/strong>, you\u2019re directed to PentestGround\u2019s instance which appears in a second and is ready to use.<\/p>\n\n\n\n

\"DVWA<\/figure>\n\n\n\n

REST API<\/h2>\n\n\n\n

You can also test a REST API<\/strong> by clicking the third link<\/a>. A first page provides some technical detail and URL for this API.<\/p>\n\n\n\n

\"vulnerable<\/figure>\n\n\n\n

If you click \u201cScan this API\u201d<\/a> bottom page, a quick walkthrough explains how to use PentestTools<\/a> for testing the API without virtual machines or local tools and setup an authorization header. If you don\u2019t have any account on this website, just subscribe here<\/a> before testing the API.<\/p>\n\n\n\n

\"Numbered<\/figure>\n\n\n\n

If you have your own virtual machines or (pen)testing tools locally installed , you can just launch Postman and Burp Suite<\/a>.<\/p>\n\n\n\n

\n