3 min read

After the Legend: A Complete Map of Modern Pentest Lab Platforms Beyond VulnHub (2026)

After the Legend: A Complete Map of Modern Pentest Lab Platforms Beyond VulnHub (2026)

A while back I put together a "100 VulnHub Boxes You Have to Own" list. Revisiting it recently, I noticed a problem: that list is essentially a "VulnHub classics ranking," not a "modern boxes ranking." So this post organizes the modern alternative platforms I actually recommend into a single map, and gives you selection advice based on what you're after.

Let's be honest: VulnHub has basically stopped updating

It's not that VulnHub produced nothing over the past decade — it's that it later almost completely stopped adding new machines. I just checked again, and the latest entry on the front page is still Matrix-Breakout: 2 Morpheus, released on July 11, 2022. Scroll down and the whole page is stuff from 2021. In other words, as long as you keep picking from VulnHub, you're inevitably going to be buried under 2015–2021 Ubuntu, Apache, PHP, WordPress, and traditional Linux privesc, and you'll never get to touch anything new.

VulnHub's value hasn't disappeared — classic chains like node-serialize RCE, PwnKit, and SUID privesc are still fundamentals to this day. But if what you want to practice is the "modern attack surface," you can bring more resources into the mix!

So where did the modern community move to? I'll split this into two categories: first, "downloadable boot2root" (VulnHub's spiritual successors), then "modern attack surfaces that aren't necessarily packaged as a single VM."

1. Downloadable boot2root: VulnHub's spiritual successors

1. HackMyVM — the most direct heir to VulnHub

This should be the first platform to look at. It's free, the boxes can be downloaded to your local machine (not just an online VPN), and if you only play the VMs you don't even need an account. Officially it currently lists 300+ boot2root VMs, 90+ challenges, and 3 online labs (I just verified the numbers), and community submissions keep growing.

The format is the one you know: download the VM, hook it onto your attack box's network segment, and work your way from black-box enumeration all the way to root — and most of them come with official writeups to compare against.

Good for you if: you want the kind of complete Web / service / Linux attack chain that Temple of Doom had.

hackmyvm.eu

2. VulNyx — a more polished modern VulnHub

VulNyx is likewise free, no registration required, and runs locally after download. It offers Linux boxes from Low to Hard, filterable by operating system, tags, and compatible platform. The technical range it lists officially covers Web exploitation, SUID, privilege escalation, and buffer overflow.

Compared to HackMyVM: HackMyVM has huge volume with a very mixed range of author styles; VulNyx has a tidier interface and categorization, making it easier to pick a specific technique to practice.

Good for you if: you want something newer, short but complete, a downloadable single-machine boot2root.

vulnyx.com

3. DockerLabs — best suited to a WSL2 setup (my personal favorite)

This one might actually be the most to my taste. DockerLabs isn't an OVA — you download a .tar box and then use the bundled auto_deploy.sh to spin up and tear down the environment with a single command; it even supports deploying multiple containers at once for pivoting. In the directory you'll see names like ApiRoot, Gitea, BadPlugin, Stellarjwt, StrongJenkins, LogisticCloud, NodeClimb, PkgPoison, DevTools, and BigPivoting — reflecting that, far more than old VulnHub, it tends to revolve around APIs, JWT, CI/CD, packages, Git services, and internal-network lateral movement.

One caveat, though: you still have to vet each individual box on its own quality — you can't judge the attack chain from the name alone.

The biggest benefit for WSL2 Kali users is that you can run DockerLabs directly inside WSL2, without having to deal with VirtualBox's NAT, bridging, adapter names, and DHCP.

Security note: a Docker box's isolation model is not a full VM. Docker isolates processes with namespaces and cgroups, but a malicious or highly privileged container should still be treated as untrusted content. I'd suggest putting it in a dedicated WSL distro, and before running, take a quick look at whether auto_deploy.sh uses --privileged, mounts the Docker socket, or has any dangerous host bind mounts.

dockerlabs.es

4. Vulhub — for drilling recent CVEs (note: one fewer "n")

The name is Vulhub, not VulnHub. It's not a narrative-style boot2root, but rather a huge collection of directly launchable Docker Compose vulnerability environments. Typically you cd into the target directory and run:

docker compose up -d

and you've deployed a lab environment for a particular product or CVE. It suits your current vulnerability-research direction: Java / Spring, Jenkins, GitLab / Gitea, Elasticsearch, Redis, Apache / Nginx, all kinds of PHP frameworks, plus every flavor of deserialization, SSRF, RCE, and authentication bypass.

Downside: it usually only gives you "vulnerability reproduction," not the complete story chain of "enumeration → initial access → lateral movement → root." → github.com/vulhub/vulhub

Closing thoughts

The legend is long gone, but the successors are countless. If your next box should just sidestep the pain of VirtualBox entirely, try DockerLabs first; if you still want the real feel of a full VM, start with HackMyVM. Keep VulnHub around too, but let it return to what it is — a museum of legends, rather than your only source of practice boxes.


References