Free Cybersecurity Labs and Wargames for Beginners
Article
Cybersecurity is a practical field. You need an understanding of concepts like networking and core security principles, but nothing beats hands-on experience with the relevant tools and technologies. It is possible to learn these things through books and videos, but playing with the technology in a lab or 'wargame' environment is the best way to prepare for a real-world career in infosec (Information Security).
In this article, we'll cover:
- What wargames are and what are some alternatives
- How to get started with wargames and cybersecurity labs if you're net to infosec
- Some of the most popular wargames and lab platforms for beginners
What is a wargame
Wargaming is a term used to describe a game that simulates war, either for pleasure or by military strategists to prepare for conflict. From Wikipedia:
A wargame is a game that realistically simulates warfare[...] Wargaming may be played for recreation, to train military officers in the art of strategic thinking, or to study the nature of potential conflicts.
This article focuses on cybersecurity wargames as simulated environments that allow you to practice offensive (and defensive) security skills safely and legally. They are a novel form of training that can be both effective and enjoyable! Often they will consist of a series of levels that get sequentially harder.
Wargames place emphasis on creative problem-solving. Often, you won't be given a lot of information to start with - you have to things out for yourself! These kinds of challenges can be intimidating initially, but if you persevere, you will be amazed by what you can achieve.
Topics commonly covered by wargames include:
- Developing familiarity with GNU/Linux and command-line tools
- Identifying and exploiting software vulnerabilities
- Web application security
- Reverse engineering
- Cryptography
Cyber Labs
Cyber, or infosec, 'labs' are similar to wargames but can be more beginner-friendly. Many online lab platforms will group labs into different topics, which can be completed modularly. Often, each lab is presented as a standalone challenge with some explanation of what you will need to do. Labs will usually exercise a particular cybersecurity tool or technology - you can find labs to test defensive and offensive infosec skills.
Wargames vs CTFs
CTF stands for Capture The Flag. In 'real-world' terms, capture the flag is an outdoor game where two or more teams compete to capture opponents' flags and protect their own. In the infosec world, players compete to capture digital flags by competing challenges. Usually, players or teams participate simultaneously to capture the same flags, but teams must also defend their own flags in some competitions. CTFs are a great way to learn new cybersecurity skills in a fun, practical environment.
The main difference between a wargame and a CTF is that CTFs are typically run competitively for a limited time, whereas wargames can be accessed on-demand and completed at your own pace. Wargames are often more of an individual pursuit, whilst many CTF competitions encourage teams to enter.
CTF Flag Formats
Both CTFs and wargames usually require players to complete challenges to unlock flags. Ultimately 'flags' can come in many different forms, but each platform/competition will usually have a consistent format. Often this will be some identifier, followed by a hexadecimal number. For example, the CTF247 format is 247CTF{32-HEX}:
CTF247{5eb63bbbe01eeed093cb22bb8f5acdc3}
In some wargames, rather than flags, players may be looking for passwords to access the next level.
Wargame Tips
Here are some top tips for beginners that are new to wargaming.
- Read the manual
- Google is your friend
- Anything could be a clue, but not everything will be
- Keep going
Wargames will often be on a GNU/Linux machine or in an environment where you have access to 'help'. On Linux, use the 'man pages' to look up commands involved - make sure you understand what all the different arguments mean. Similarly, if the challenge focuses on a specific program, use the help option if it has one and if the challenge lets you see the source code, read it thoroughly. Many challenges which require you to exploit a vulnerable program will allow you to access the source code - dig through it carefully to understand what it does and where the vulnerabilities might be.
Don't feel like you should already know the answers. You can use Google (or any other search engine) to help you understand whatever tools and technologies you need to solve the challenge. There are no dumb questions, and there isn't always an obvious place to start.
Some wargames will have riddle-like titles which give you a hint about how to solve the challenge. Other challenges might give you suspicious comments in some source code. Well written challenges will usually have some little clues to lead you down the correct path.
And finally, keep going! Wargames are meant to be tough, and one of the skills you'll learn is problem solving and perseverance. Go down rabbit holes, but not too far. If you're consistently hitting your head against a wall, take a break and then come back and try a different approach.
Are Wargames Safe?
Many people participate in wargames and CTFs without any problems, and you can learn a lot by doing so. Some sites can come across as more friendly than others, so take a look at the different platforms and labs discussed in this article and start with the one you are most comfortable with.
First and foremost, do think carefully before connecting to a random server on the internet. We have not performed any security audit of the platforms discussed here, so we can't comment on specifics - you can always do a quick search to see other people's experiences. If you use some common sense and keep your systems up to date, you should be ok!
Here are a few safety tips to think about:
- Use a clean Virtual Machine (VM) to connect to wargames/challenge platforms. This could be hosted on your own machine or in the cloud. Some platforms will let you complete all the challenges from your browser.
- Make sure your software is up to date - especially software used to connect (e.g. SSH client, browser, VPN).
- With SSH, you can use
-x
and-a
(both lower case) to explicitly disable X11 forwarding and agent forwarding and prevent some possible attacks. These should be disabled by default on most modern clients). - Don't reuse passwords. You could consider setting up a separate email address too, if you are concerned.
- Be careful not to type personal information or passwords into your wargame terminal accidentally.
Wargame Alternatives
Wargames are just one option for getting practical infosec experience. Some alternatives which can help beginners learn cybersecurity skills are:
- Downloadable' vulnerable' applications - checkout the OWASP Vulnerable Web Applications Directory.
- Online courses which have more of a taught component, combined with supporting exercises.
- More general online cyber lab platforms (we will cover some of these here)
- Participating in a Capture the Flag event
- Setting up a Kali Linux VM and following some online tutorials or exercises from a good infosec book!
How to Access Wargames
Different platforms and labs will have different methods to access the challenges. This can be a bit confusing to people just getting started. Some common approaches include:
Browser-based - interactive challenges delivered as a web application. These are often the easiest way to get started but can lack realism and exposure to real-world environments and infosec tools.
Downloadable - some exercises might require you to download an artefact for local analysis. This is often the case with cryptography challenges and some binary exercises. As discussed above, make sure you set up an appropriate virtual environment to do this.
SSH - it is common with wargames (such as OverTheWire discussed below) to connect to them with SSH. Usually, the challenge will give you a host (e.g. lab1.example.com) and port number to connect on. GNU/Linux machines have SSH already installed, or on Windows, you can install 'Putty'.
VPN - more comprehensive cyber lab environments might require you to use a
'Virtual Private Network' (VPN) to connect. Typically this will use OpenVPN and
require you to download a .ovpn
file with connection settings. Platforms such
as 'HackTheBox' and 'Offensive Security' labs use this approach. Platforms using
this approach typically provide good documentation on how to connect and
troubleshoot connectivity issues.
Hybrid, browser-accessible cloud VMs - to avoid the complexities of setting up a VPN connection, some platforms now provide a cloud-based Virtual Machine that you can access remotely through a browser. This removes the need to maintain your own lab VM whilst still providing access to a comprehensive cyber range.
Wargames and Challenges
Below we have listed some fantastic wargames, challenges and cybersecurity lab platforms for beginners. You will find links to everything discussed at the end of the article.
PromptRiddle
PromptRiddle is a cool interactive puzzle-solving game that can provide a gentle introduction to the world of wargaming and CTFs. The site presents you with a command-prompt style interface with a series of puzzles to solve to progress to the next level.
No prerequisite knowledge is required, so you don't need to know how to program or use Linux to enjoy it!
OverTheWire
OverTheWire is one of the most well known and beloved computer security wargames around. The site hosts over ten different games covering topics such as GNU/Linux, web application security and advanced exploitation techniques. Whether you are a beginner or already have experience, OverTheWire will have something for you.
Because of its popularity, many levels for the most popular games have had walkthroughs published online if you get stuck. But remember, you will get the most out of these labs by trying everything yourself first!
Is OverTheWire Safe
As mentioned above, you should be careful when accessing any online service, but OverTheWire is a well-established wargame platform, and you can read lots of reviews and recommendations. You can also learn more on their Patreon page and GitHub.
Bandit
The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames. Bandit will challenge you to use a wide range of GNU/Linux commands to solve challenges. This game, like most other games, is organised in levels. You start at Level 0 and try to "beat" or "finish" it. Finishing a level results in information on how to start the next level.
Natas
Natas teaches the basics of serverside web security. On each level, you must gain access to the password of the next level.
Leviathan
Learn more about GNU/Linux with these hands-on challenges. This wargame doesn't require any knowledge about programming - just a bit of common sense and some knowledge about basic *nix commands.
pwnable.kr
The pwnable.kr website has been put together by the Systems Software and Security Lab at Georgia Tech University to help students practice their cyber security skills. Each challenge has a flag to find by using knowledge of programming, reverse engineering, systems and cryptography.
There are four different categories of challenge, which are described as:
Toddler's Bottle
Straightforward challenges with simple 'mistakes' that you must find. (You can also find write-ups and walkthroughs for these online).
Rookiss
Typical bug exploitation challenges for rookies.
Grotesque
Satisfying but grotesque-ly painful to solve!
Hacker's Secret
Challenges requiring special techniques to solve!
To start playing, follow the 'play' link on the homepage and pick a challenge that you like the look of!
MicroCorruption - Embedded Security CTF
Scattered throughout the world in locked warehouses are briefcases filled with Cy Yombinator bearer bonds that could be worth billions comma billions of dollars. You will help steal the briefcases.
MicroCorruption is a fantastic browser-based wargame focused on learning assembly language. Assembly language is the foundational language understood by computers, so this is a great place to start learning skills like reverse engineering and software exploitation. On each level, you will use the neat interface to debug a virtual electronic lock to allow access to the briefcases!
There is no need to have prior experience with assembly or debugging, but you will need to commit some time to learn as you go along. To get started, you'll need to fill out a short form, which will result in you receiving an email inviting you to register an account on the site.
SmashTheStack
SmashTheStack offers several wargames designed to provide an ethical hacking environment where you can explore real-world software vulnerabilities and practice exploiting them. At the time of writing, there are five available wargames online: AMATERIA, BLACKBOX, BLOWFISH, LOGIC and TUX. You must progress through the levels sequentially, finding the password for the next one as you go.
To get started, you will need to SSH into the game server and start exploring. Some levels will let you view the source code of the software that you need to exploit - use this to identify where the bugs are! If you have trouble getting started, check out their FAQ pages.
CryptoHack
CryptoHack is a website dedicated to cryptography challenges. It describes itself as a fun, free platform for learning modern cryptography. After registering for an account, you can start learning with one of their courses or jump straight into the challenges. You will need to do some coding on your own machine (locally) to solve some of the challenges - they provide a Docker image with all the tools you'll need to get started.
CryptoHack is a really polished platform that makes learning about a tricky but essential topic easy and engaging! They focus on teaching you how to break bad implementations of modern cryptography. These skills can help you understand how to implement crypto securely. If you find this is something that you enjoy, they even have a job board advertising related roles.
HackThisSite
HackThisSite has been around since 2003 and describes itself as:
"a free, safe and legal training ground for hackers to test and expand their ethical hacking skills with challenges, CTFs, and more."
After registering and logging in, you can get started with various challenges across different categories, including:
- Basic Challenges
- Realistic Missions
- Application (Reversing) Challenges
- Steganography
- JavaScript
And, as the name suggests, if you can successfully (and responsibly) hack the site, you will be recognised in the HackThisSite hall of fame!
247CTF
247CTF is a free, always-on capture the flag environment. It offers over 50 challenges, with more being added regularly. Some challenges are downloadable and require you to solve them locally before submitting the flag. Other challenges are 'launchable' and require you to access them from a VM or through a browser.
HackTheBox
HackTheBox is a mature, well-designed platform with 100s of challenges and features such as battlegrounds, job boards and an academy. HackTheBox challenges require you to connect using an OpenVPN connection (not SSH like some of the other sites here) - they have instructions on how to get set up with this.
After registering, there are loads of labs to get started with, from easy ones that will help develop familiarisation with tools like Metasploit through to advanced topics like Windows Active Directory and pivoting.
You can access most HackTheBox features for free. They also offer:
- VIP - provides access to hundreds of additional challenge machines, additional servers for better performance, 24 hrs/month 'pwnbox' access to challenges through your web browser (rather than requiring your own virtual machine and connecting over VPN), and more.
- VIP+ - features of VIP plus unlimited 'pwnbox' access and dedicated personal challenge instances.
- ProLabs - more comprehensive lab environments designed to represent real-life red team engagements.
TryHackMe
TryHackMe is an integrated cybersecurity learning platform with different learning paths, including:
- Pre Security - foundational content covering cyber security basics, networking, Linux and common web attacks.
- Cyber Defense - learn how to analyse and defend against real-world attacks.
- Offensive Pentesting - designed to prepare you for a career in penetration testing.
- Web Fundamentals - learn about web application vulnerabilities and how to exploit them as part of an application assessment.
Lessons provide a structured way for beginners to learn and apply cyber security concepts, tools and technologies. Lessons are broken down into separate tasks, which integrate hands-on challenges.
They also offer subscriptions and paid labs with additional features and more expansive networks.
References
Learn more about this topic by checking out these references.