If you are considering learning about hacking and cyber security, you definitely need places where you can practice your skills. Attacking other people's machines without their consent is considered a felony in most countries and will have you thrown in prison for years if you get caught. It's best not to risk a prison sentence and hone your skills in a safe environment where you don't have to worry about legalities.

The solution to your problem is CTFs, short for "Capture the Flag". CTFs are essentially games where you are tasked with attacking a known vulnerable machine in order to find and retrieve a string of text called the flag. Flags can be redeemed for points on some platforms and sometimes even money. Many CTFs deal with common vulnerabilities with well known exploits while others require a great deal of time, focus and even custom exploits. There are challenges for people of all skill levels and I'm going to give you a list of the best sites available as of 2019.

Before I talk about what I've come to know as the best sites, a quick list of prerequisite knowledge to be successful in these challenges is in order.

You should be familiar with the most common vulnerabilities in the wild; how to detect them and how to exploit them. Most of the time, you can't just fire off scans and brute force login credentials. Doing so often has you temporarily banned from the challenge and for good reason too. You normally shouldn't be doing these things in a real engagement since they generate a lot of traffic from your computer and will help you get caught.

Most challenges start with a vulnerable web application needed to be compromised in order to get a foothold on a machine.  Knowledge of SQL injections, bad session management, default credentials, broken authentication and file inclusion vulnerabilities are essential to the majority of challenges. These techniques plus a little bit of experience on the Linux command, shell scripting and Python or Ruby could have you ready to start beating challenges to see the results of your hard work and keep you motivated.

Here are our Top 5 picks for the best sites to learn hacking without breaking the law.


WeChall is an international network and cross-site scoring web site for CTFs. If you love instant gratification and want to treat your learning like a video game, you should absolutely sign up for WeChall. Most of the major CTF sites have WeChall integration and can record your scores from other sites to give you a more universal leaderboard. WeChall also offers its own challenges in not just hacking, but also in programming and math. Personally, I love this site and have worked my way into the Top 1000 challengers—which did take a long time given the amount of points needed. I encourage you to use the site as a scoreboard and compile all of your scores on different websites to one place.


HackTheBox is a more advanced platform for CTFs. Challenges are often longer and are created to simulate a real-life engagement. If you've had success with other platforms and are confident enough in your abilities as a hacker, HackTheBox will provide you with further amusement. There are no write-ups for any active challenges to keep the level of entry high. Past challenges do have walkthroughs and in fact, one of the admins of HackTheBox, IppSec, posts them weekly.

In order to gain access to the site, you have to "hack" yourself an invitation code. This only takes about 10 minutes if you know what you're doing. All boxes are live machines and you'll have to connect to their network using their OpenVPN certificate. If you are ever experiencing issues with one of the machines, you can request a reboot on the site.

HackTheBox also has many helpful Discord servers dedicated to it such as iC0de and X9 Security. These servers will help give you a push in the right direction and will also allow you to find people you might enjoy solving challenges with. You can find the current invites to these servers on DisBoard.

Here is IppSec's YouTube channel — https://m.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA


HackThisSite is an absolute basics site for learning mostly web exploitation. The site was created by Jeremy Hammond, a former member of LulzSec, in 2003 and has taught over a decade of curious neophytes and served half a billion visits. If you were ever a script kiddie in the past, you might have already known about or even used this site. The community surrounding this site might not be the most healthy, but it has a very low bar of entry.

The site's challenges tend to be very political, especially the "Realistic" ones—possibly a reflection of its founder. The challenges do not get too complicated and are easily digestible for beginners. You could easily run through 10 or so in about an hour. Any experience is good experience when it comes to hacking. Every challenge you solve, no matter how simple is important to your future.


VulnHub is a platform for submitting and downloading virtual machines for various hacking challenges. Challenges of all difficulties are available for download. Most of the machines are created for VirtualBox, though there are many others made for VMWare. If ever you have trouble importing or running a VM, you should consider trying a different hypervisor or tweaking some settings since all of them have been confirmed to work as of February, 2019 (by me personally).

Many of the virtual machine labs on this site are fun and act as more of a sandbox for what you can do. Running challenges locally takes away any legal liability you may be subjected to for your actions.


OverTheWire offers many series of challenges available over SSH. You are given the first level's credentials and are tasked with finding the credentials for the next challenge's user and so forth until you complete the entire series. The "Bandit" and "Natas" challenges attempt to teach the user about common Linux tasks and basic web exploitation, respectively. Both of these series are great for beginners; being short and to the point. Later challenge series such as "Vortex" and "Semtex" are geared to more advanced users and deal more with exploit writing and other related skills.


There are many, many more sites that are not listed here. This list should give you enough resources to become competent in hacking and to vent your inner anarchism. Remember, the people you hack are human beings, respect them and direct your angst elsewhere. I wish you safe travels and happy hacking!