Vulnerable Distibutions

The community has coughed up some classic distributions full of juicy targets
and p0wnlabs is testing out a program to host them for your hacking pleasure.
Simply configure your system to connect to p0wnlabs via openvpn and hack away!


Here's the openvpn config package you will need to connect.

It's a simple tar archive of the text file and the necessary keys suitable for starting openvpn on linux. You can translate it to windows if you insist.

Once you're connected you'll get an extra ethernet interface on a network.


Where would we be without metasploit?

Uh..nowhere? And they're nice enough to have also created a vulnerable distribution for you to hack.

And we're nice enough to host it.

The target VM (1 instance for now) will be at


OWASP is awesome and to prove it they created webgoat a deliberately vulnerable J2EE web application.

Learn XSS, weak session cookies, sql injection and more!

Your target (once connected) is

Since webgoat saves your progress and we've got multiple people accessing it, you can login using any of the following usernames:
guest, guest1, guest2, guest3, guest4, guest5, guest6, guest7, guest8 or guest9.
Passwords for all username is simply: guest.


I may have mentioned that OWASP is really awesome and to prove it again they packaged over a dozen bad web apps into one virtual machine owaspbwa.

Damn Vulnerable Web App, Webgoat, Vicnum, Mutillidae, Ghost, Peruggia, and more await your p0wning.

Your target (once connected) is for apache, for tomcat


Daniel Crowley from Trustwave was kind enough to build this highly configurable SQLi testbed

Now you can try it out without having to build a vm, setup php, etc..just openvpn and you're in!

Your target (once connected) is with a mysql backend.


For help click on the help link above

These VMs restart themselves every 30mins and cannot make outbound connections. So nothing you do here is permanent, and you can't use them to attack someone else.

You should consider this VPN connection untrusted and everything you encounter along the way as dangerous. i.e. do not connect using a valued computer.

p0wnlabs is granting you permission to use the targets listed above, but cannot be held responsible for any damage you cause or damage caused to you from your use of these VMs.

Enjoy! and behave..

© Copyright 2009 p0wnlabs Web design released by Flash MP3 Player