Awesome

Awesome Sec Challenges

A curated list of Awesome Security Challenges that is aimed at getting beginners and experts alike involved in upskilling their ethical hacking, pentesting, and crypto skill through online challenges.

There are a lot of great security challenges on the Internet, but it's hard to keep track of them all or work on different types of challenges. This list helps keep all those scattered platforms in one place.

If you'd like to contribute, please see the contribution guidelines.

Contents

• Created By
• Capture The Flag
  • Cloud-Focused
  • CTF Platforms
  • Vulnerable Platforms
  • Introductory Education
• Cryptography
• Web3

Created By

Capture The Flag

This is a list of Capture The Flag (CTF) challenges and websites.

Cloud-Focused

This is a list of CTF challenges that specifically focus on exploiting cloud services.

• CloudFoxable - An intentionally vulnerable Amazon Web Services (AWS) environment.
• CloudGoat - A vulnerable by design Amazon Web Services (AWS) deployment tool.
• CloudSec Tidbits - Infrastructure as Code (IaC) laboratory reproducing interesting pentest findings by DoyenSec.
• CONVEX - An open-source CTF platform that lets you spin up CTF events in your Microsoft Azure environment.
• Damn Vulnerable Cloud Application - an intentionally vulnerable cloud application to teach privilege escalation on Amazon Web Services (AWS).
• GCP Goat - An intentionally vulnerable GCP environment to learn and practice GCP security.
• FLAWS - A CTF site based on common mistakes and gotchas when using Amazon Web Services (AWS).
• FLAWS2 - The sequel to the flAWS.cloud CTF site with both an Attacker and Defender track using Amazon Web Services (AWS).
• IAM Vulnerable - Use Terraform to deploy IAM resources to learn how to identify and exploit vulnerable IAM configurations.
• Lambhack - A vulnerable serverless Amazon Web Services (AWS) lambda application.
• S3 CTF Challenges - A series of challenges focusing on Amazon Web Services (AWS) S3 misconfigurations.
• ServerlessGoat - An Amazon Web Services (AWS) serverless application that demonstrates common serverless security flaws.
• The Big IAM Challenge by Wiz - A hosted Identity and Access Management (IAM) based CTF.
• Thunder CTF - A CTF site based on attacking vulnerable cloud projects on Google Cloud Platform (GCP).

CTF Platforms

This is a list of platforms that let you organize, host, and participate in competitive CTF events or platforms that let you do gamified security challenges, and a list of traditional CTF challenges that leverage mostly SSH or VPN sessions.

• Facebook CTF - A CTF platform by Facebook to host Jeopardy and “King of the Hill” style Capture the Flag competitions.
• HackTheBox - A CTF site to work on your pentesting skills.
• HackThisSite - A CTF site to practice your ethical hacking skills.
• OverTheWire - A series of CTFs to practice security concepts in the form of fun-filled games.
• TryHackMe - An online CTF platform that teaches you about hacking and pentesting by way of gamified challenges.

Vulnerable Platforms

This is a list of pre-packaged applications and platforms with intentional misconfigurations and vulnerabilities present.

• Damn Vulnerable Bank - An intentionally vulnerable Android banking application.
• Damn Vulnerable Linux - A vulnerable Linux distribution designed to help sysadmins to better understand how to secure Linux.
• Damn Vulnerable Web App - A vulnerable PHP/MySQL web application designed to help web developers better understand securing web apps.
• OWASP Juice Shop - An insecure web application written in Node.js that is vulnerable to the OWASP Top 10 web application security risks and other real-world vulnerabilities.

Introductory Education

This is a list of sites dedicated to beginner-focused education, such as grade school-level challenges.

• Cyber Start - High School level introductory hacking courses.

Cryptography

This is a list of challenges that teach you about cryptography, cryptosystems, and breaking widely used encryption schemes which are sometimes improperly implemented.

• Cryptopals - A site to learn about cryptography through problem-solving and programming.
• CryptoHack - A free platform for learning modern cryptography.
• MysteryTwister C3 - A variety of tasks and riddles (challenges) at four levels of difficulty.

Web 3

This is a list of challenges that teach you about secure Web3 (smart contracts, DeFi, blockchain, solidity, etc.) practices.

• DeFiVulnLabs - A site to learn about Web3 solidity security training on Foundry.
• DeFiHackLabs - A site that uses real past DeFi hack incidents to let you recreate how the hacks happened and how to secure them.