Offensive Security
Resources for offensive security training. Compiled by the members of Root66Tulsa Cyber Clubs.
Multi-Discipline
OverTheWire - Learn linux basics!
TryHackMe - A guided CTF style learning platform
- Suggested Learning Paths:
- Pre Security Path (Easy) Great for beginners to get started learning about cybersecurity.
- Jr Penetration Tester Path (Intermediate) Broad introduction to offensive security.
- Offensive Pentesting Path (Intermediate) Challenge yourself with more advanced offensive security topics, and labs.
Hack The Box - Features both challenge machines and guided learning paths.
- Suggested Learning Paths:
Network Pentesting
GOAD - Game of Active Directory (GOAD) is an Active Directory lab environment to test your network penetration testing skills.
Web Application Security
PortSwigger Web Security Academy - A free learning platform that focuses on web application security.
TryHackMe Web Application Pentesting - TryHackMe module specific to Web Application Testing.
OWASP Top 10 - OWASP Top 10 Web Application Vulnerabilities.
OWASP Juice Shop - An intentionally vulnerable Web Application to test your penetration testing skills.
API Security
APIsec University - A free learning platform that focuses on API penetration testing.
VAmPI - A vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs.
Mobile Application Security
Intro to Mobile Pentesting - Blog post by Hack The Box on getting started with mobile application security.
LLM Prompt Injection
Gandalf AI - Test your prompt injection skills to reveal a password.
Misc
IppSec - In Depth Walkthroughs of retired Hack The Box machines.
Common Attack Pattern Enumerations and Classification (CAPEC) - Publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
Mitre Attack Framework - Adversary Tactics and Techniques based off real world events.
Disclaimer: Usage of offensive security tools against systems you do not own or have explicit permission to perform testing against is illegal and unethical.
The golden rule: No Crimesies.