| Admirer | EASY | Information Leakage | 3 |
| Antique | EASY | SNMP Enumeration | 4 |
| Backdoor | EASY | Local File Inclusion (LFI) · WordPress Exploitation · Remote Code Execution (RCE) | 4 |
| Bank | EASY | Information Leakage · Transferencia de zona DNS · File Upload Vulnerabilities · SUID binaries · Remote Code Execution (RCE) | 4 |
| Bashed | EASY | Abuso de cron · Abuso de sudo · phpbash (web shell PHP) | 2 |
| Beep | EASY | Local File Inclusion (LFI) · Information Leakage · File Upload Vulnerabilities · Shellshock (CVE-2014-6271) · Elastix LFI · Remote Code Execution (RCE) | 3 |
| Blocky | EASY | WordPress Exploitation · Information Leakage | 3 |
| Blunder | EASY | Directory / Path Traversal · File Upload Vulnerabilities | 3 |
| BountyHunter | EASY | XML External Entity | 4 |
| Delivery | EASY | Subdomain Enumeration · Information Leakage · Cracking Hashes (hashcat / John) | 4 |
| Doctor | EASY | SSTI (Server-Side Template Injection) · OS Command Injection · Remote Code Execution (RCE) | 3 |
| Frolic | EASY | Remote Code Execution (RCE) · Information Leakage | 4 |
| GoodGames | EASY | SSTI (Server-Side Template Injection) · Port Forwarding / Pivoting · SQL Injection | 4 |
| Haystack | EASY | Information Leakage | 3 |
| Horizontall | EASY | Information Leakage · Port Forwarding / Pivoting | 3 |
| Knife | EASY | Remote Code Execution (RCE) | 3 |
| Laboratory | EASY | Information Leakage · Insecure Deserialization · SUID binaries · Remote Code Execution (RCE) | 3 |
| Lame | EASY | Samba 3.0.20 RCE (CVE-2007-2447) | 5 |
| Late | EASY | SSTI (Server-Side Template Injection) · Subdomain Enumeration · File Upload Vulnerabilities | 4 |
| Mirai | EASY | Credenciales por defecto · USB forensics · Pi-hole credenciales por defecto | 3 |
| Nibbles | EASY | Remote Code Execution (RCE) · File Upload Vulnerabilities | 4 |
| NodeBlog | EASY | Authentication Vulnerabilities · Insecure Deserialization · SQL Injection · XML External Entity | 3 |
| NunChucks | EASY | SSTI (Server-Side Template Injection) | 4 |
| OpenSource | EASY | Local File Inclusion (LFI) · Information Leakage · Port Forwarding / Pivoting · File Upload Vulnerabilities · Remote Code Execution (RCE) | 3 |
| Pandora | EASY | Remote Code Execution (RCE) · Information Leakage · Port Forwarding / Pivoting · SQL Injection · SNMP Enumeration | 3 |
| Paper | EASY | Information Leakage · WordPress Exploitation | 4 |
| Postman | EASY | Redis Exploitation | 4 |
| RouterSpace | EASY | OS Command Injection · linPEAS · Remote Code Execution (RCE) | 3 |
| Safe | EASY | Information Leakage · Buffer Overflow (BoF / ROP) | 3 |
| ScriptKiddie | EASY | OS Command Injection · Port Forwarding / Pivoting · Remote Code Execution (RCE) | 3 |
| Secret | EASY | JSON Web Tokens (JWT) | 4 |
| Sense | EASY | Information Leakage · pfSense · Remote Code Execution (RCE) | 3 |
| Shocker | EASY | Shellshock (CVE-2014-6271) | 4 |
| SteamCloud | EASY | Kubernetes API Enumeration (kubectl) Kubelet API Enumeration (kubeletctl)… | 3 |
| SwagShop | EASY | Remote Code Execution (RCE) | 3 |
| Tabby | EASY | Local File Inclusion (LFI) | 3 |
| Teacher | EASY | Information Leakage · Cracking Hashes (hashcat / John) · Fuzzing de directorios · Remote Code Execution (RCE) | 4 |
| Traverxec | EASY | Nostromo Exploitation Abusing Nostromo HomeDirs Configuration Exploiting… | 4 |
| Valentine | EASY | Cracking Hashes (hashcat / John) · Race Conditions | 3 |
| Validation | EASY | Information Leakage · SQL Injection · Remote Code Execution (RCE) | 4 |
| Apocalyst | MEDIUM | WordPress Exploitation · Information Leakage · Steganography (Stego) · Remote Code Execution (RCE) | 3 |
| Aragog | MEDIUM | XML External Entity · WordPress Exploitation | 3 |
| Backend | MEDIUM | Information Leakage · Remote Code Execution (RCE) · JSON Web Tokens (JWT) | 4 |
| BackendTwo | MEDIUM | Information Leakage · Remote Code Execution (RCE) · JSON Web Tokens (JWT) | 3 |
| Bolt | MEDIUM | SSTI (Server-Side Template Injection) · Subdomain Enumeration · Information Leakage | 3 |
| Book | MEDIUM | Cross-Site Scripting (XSS) | 3 |
| Cache | MEDIUM | Access Control / IDOR · Authentication Vulnerabilities · Information Leakage · SQL Injection · Remote Code Execution (RCE) | 3 |
| Catch | MEDIUM | SSTI (Server-Side Template Injection) · Information Leakage · SQL Injection · Remote Code Execution (RCE) | 3 |
| Celestial | MEDIUM | Insecure Deserialization · Remote Code Execution (RCE) | 3 |
| Chaos | MEDIUM | Remote Code Execution (RCE) | 3 |
| Cronos | MEDIUM | OS Command Injection · Transferencia de zona DNS · SQL Injection | 3 |
| DevOops | MEDIUM | XML External Entity · Information Leakage | 4 |
| Devzat | MEDIUM | Fuzzing de directorios · Remote Code Execution (RCE) | 3 |
| Enterprise | MEDIUM | WordPress Exploitation · Buffer Overflow (BoF / ROP) · SQL Injection | 3 |
| Epsilon | MEDIUM | SSTI (Server-Side Template Injection) · Authentication Vulnerabilities · Remote Code Execution (RCE) · JSON Web Tokens (JWT) | 3 |
| Europa | MEDIUM | SQL Injection · Remote Code Execution (RCE) | 4 |
| Flustered | MEDIUM | SSTI (Server-Side Template Injection) · Information Leakage · Remote Code Execution (RCE) | 3 |
| FluxCapacitor | MEDIUM | OS Command Injection · Fuzzing de directorios | 3 |
| Forge | MEDIUM | Server-Side Request Forgery | 3 |
| Haircut | MEDIUM | OS Command Injection · Server-Side Request Forgery | 4 |
| Hawk | MEDIUM | Brute Force / Rate-Limit Bypass · Remote Code Execution (RCE) | 3 |
| Inception | MEDIUM | Local File Inclusion (LFI) · Port Forwarding / Pivoting · WebDAV · Fuzzing de directorios | 3 |
| Jewel | MEDIUM | Information Leakage · Cracking Hashes (hashcat / John) · Insecure Deserialization · Remote Code Execution (RCE) | 3 |
| Lazy | MEDIUM | SUID binaries | 3 |
| Luke | MEDIUM | Information Leakage | 3 |
| Mango | MEDIUM | SQL Injection · SUID binaries | 3 |
| Meta | MEDIUM | Subdomain Enumeration · File Upload Vulnerabilities · Port Forwarding / Pivoting · Remote Code Execution (RCE) | 4 |
| Nineveh | MEDIUM | Remote Code Execution (RCE) · Local File Inclusion (LFI) · Steganography (Stego) · Brute Force / Rate-Limit Bypass | 3 |
| Node | MEDIUM | Information Leakage · OS Command Injection · Cracking Hashes (hashcat / John) · Buffer Overflow (BoF / ROP) · Port Forwarding / Pivoting · SUID binaries | 4 |
| Noter | MEDIUM | SSTI (Server-Side Template Injection) · Information Leakage · OS Command Injection · Fuzzing de directorios · Remote Code Execution (RCE) · JSON Web Tokens (JWT) | 5 |
| Obscurity | MEDIUM | Information Leakage · OS Command Injection · Race Conditions · Remote Code Execution (RCE) | 4 |
| October | MEDIUM | Buffer Overflow (BoF / ROP) | 3 |
| Passage | MEDIUM | CuteNews Exploitation Code Analysis USBCreator D-Bus Privilege Escalation… | 3 |
| Pit | MEDIUM | Information Leakage · SNMP Enumeration · Remote Code Execution (RCE) | 3 |
| Poison | MEDIUM | Local File Inclusion (LFI) · Remote Code Execution (RCE) | 4 |
| Ransom | MEDIUM | Type Juggling / Confusion | 3 |
| RedCross | MEDIUM | Subdomain Enumeration · Buffer Overflow (BoF / ROP) · Remote Code Execution (RCE) · Cross-Site Scripting (XSS) | 3 |
| Retired | MEDIUM | Local File Inclusion (LFI) · Buffer Overflow (BoF / ROP) · Port Forwarding / Pivoting | 4 |
| Schooled | MEDIUM | Cracking Hashes (hashcat / John) · Remote Code Execution (RCE) · Cross-Site Scripting (XSS) | 3 |
| Seal | MEDIUM | Information Leakage · Remote Code Execution (RCE) | 3 |
| Shibboleth | MEDIUM | Remote Code Execution (RCE) | 3 |
| SneakyMailer | MEDIUM | Information Leakage | 3 |
| SolidState | MEDIUM | Information Leakage · Abuso de cron | 3 |
| Stratosphere | MEDIUM | Apache Struts Exploitation (CVE-2017-5638) Python Library Hijacking (Privilege… | 3 |
| TartarSauce | MEDIUM | Remote File Inclusion (RFI) · WordPress Exploitation · Remote Code Execution (RCE) | 4 |
| Tenet | MEDIUM | Insecure Deserialization · Race Conditions | 3 |
| Tenten | MEDIUM | WordPress Exploitation · Cracking Hashes (hashcat / John) · Steganography (Stego) | 3 |
| TheNotebook | MEDIUM | File Upload Vulnerabilities · JSON Web Tokens (JWT) | 3 |
| Time | MEDIUM | Server-Side Request Forgery · Remote Code Execution (RCE) | 4 |
| Timing | MEDIUM | Local File Inclusion (LFI) · File Upload Vulnerabilities | 4 |
| Undetected | MEDIUM | Subdomain Enumeration · Cracking Hashes (hashcat / John) · Remote Code Execution (RCE) | 3 |
| Unicode | MEDIUM | Local File Inclusion (LFI) · JSON Web Tokens (JWT) | 3 |
| Union | MEDIUM | OS Command Injection · SQL Injection · Remote Code Execution (RCE) | 4 |
| Waldo | MEDIUM | Local File Inclusion (LFI) | 3 |
| Wall | MEDIUM | Brute Force / Rate-Limit Bypass · SUID binaries · Fuzzing de directorios · Remote Code Execution (RCE) | 3 |
| Writer | MEDIUM | OS Command Injection · Cracking Hashes (hashcat / John) · SQL Injection · Port Forwarding / Pivoting | 4 |
| AdmirerToo | HARD | Remote Code Execution (RCE) · Subdomain Enumeration · Server-Side Request Forgery | 3 |
| Altered | HARD | Brute Force / Rate-Limit Bypass · SQL Injection · Type Juggling / Confusion · Remote Code Execution (RCE) | 4 |
| Charon | HARD | Cracking Hashes (hashcat / John) · SQL Injection · SUID binaries | 3 |
| CrimeStoppers | HARD | Local File Inclusion (LFI) · Remote Code Execution (RCE) | 3 |
| Dab | HARD | Cracking Hashes (hashcat / John) · Server-Side Request Forgery · SUID binaries · Fuzzing de directorios · Remote Code Execution (RCE) | 3 |
| EarlyAccess | HARD | Information Leakage · Port Forwarding / Pivoting · SQL Injection · Local File Inclusion (LFI) · Cross-Site Scripting (XSS) | 3 |
| Ellingson | HARD | Buffer Overflow (BoF / ROP) · SUID binaries · Remote Code Execution (RCE) | 3 |
| Falafel | HARD | Information Leakage · SQL Injection · Type Juggling / Confusion · File Upload Vulnerabilities | 3 |
| Feline | HARD | Information Leakage · Insecure Deserialization · Directory / Path Traversal · Port Forwarding / Pivoting · Remote Code Execution (RCE) | 4 |
| Flujab | HARD | SQL Injection · SUID binaries · Remote Code Execution (RCE) | 3 |
| Holiday | HARD | SQL Injection · Remote Code Execution (RCE) · Cross-Site Scripting (XSS) | 3 |
| Joker | HARD | Cracking Hashes (hashcat / John) · Port Forwarding / Pivoting · Remote Code Execution (RCE) | 3 |
| Kotarak | HARD | Information Leakage · Port Forwarding / Pivoting · Server-Side Request Forgery | 3 |
| Mischief | HARD | Information Leakage · SNMP Enumeration | 4 |
| Monitors | HARD | Local File Inclusion (LFI) · Information Leakage · Insecure Deserialization · WordPress Exploitation · Remote Code Execution (RCE) | 4 |
| Oouch | HARD | Subdomain Enumeration · Information Leakage · Port Forwarding / Pivoting · OAuth Authentication Vulnerabilities · Remote Code Execution (RCE) | 3 |
| Overflow | HARD | Buffer Overflow (BoF / ROP) · SQL Injection · Remote Code Execution (RCE) | 4 |
| OverGraph | HARD | Subdomain Enumeration · Cross-Site Scripting (XSS) · Information Leakage · SQL Injection · File Upload Vulnerabilities · Fuzzing de directorios · GraphQL Vulnerabilities · Server-Side Request Forgery · SUID binaries · Remote Code Execution (RCE) · JSON Web Tokens (JWT) | 3 |
| Oz | HARD | SSTI (Server-Side Template Injection) · SQL Injection · Port Forwarding / Pivoting · Remote Code Execution (RCE) | 3 |
| Phoenix | HARD | Cracking Hashes (hashcat / John) · SQL Injection · File Upload Vulnerabilities · WordPress Exploitation | 3 |
| Player | HARD | Subdomain Enumeration · Information Leakage · OS Command Injection · Remote Code Execution (RCE) · JSON Web Tokens (JWT) | 4 |
| Pressed | HARD | WordPress Exploitation | 3 |
| Quick | HARD | Information Leakage · Brute Force / Rate-Limit Bypass · Remote Code Execution (RCE) · Cross-Site Scripting (XSS) | 4 |
| Scavenger | HARD | Transferencia de zona DNS · SQL Injection | 3 |
| Shrek | HARD | Information Leakage · Steganography (Stego) · Port Forwarding / Pivoting | 3 |
| Static | HARD | Port Forwarding / Pivoting · SUID binaries · Remote Code Execution (RCE) | 3 |
| Talkative | HARD | Information Leakage · Port Forwarding / Pivoting · Remote Code Execution (RCE) · File Upload Vulnerabilities | 3 |
| Tentacle | HARD | Active Directory | 3 |
| Travel | HARD | WordPress Exploitation · Insecure Deserialization · Remote Code Execution (RCE) | 3 |
| Unbalanced | HARD | Information Leakage · Cracking Hashes (hashcat / John) · Port Forwarding / Pivoting · Pi-hole credenciales por defecto · Remote Code Execution (RCE) | 3 |
| Unobtainium | HARD | Local File Inclusion (LFI) · Information Leakage · Prototype Pollution · OS Command Injection · Port Forwarding / Pivoting · Remote Code Execution (RCE) | 3 |
| Zetta | HARD | Information Leakage · SQL Injection · Brute Force / Rate-Limit Bypass · Remote Code Execution (RCE) | 3 |
| Ariekei | INSANE | Shellshock (CVE-2014-6271) · Port Forwarding / Pivoting | 3 |
| Brainfuck | INSANE | WordPress Exploitation · Information Leakage | 4 |
| CrossFit | INSANE | Subdomain Enumeration · Cracking Hashes (hashcat / John) · Port Forwarding / Pivoting · CSRF (Cross-Site Request Forgery) · Remote Code Execution (RCE) · Cross-Site Scripting (XSS) | 3 |
| CTF | INSANE | Brute Force / Rate-Limit Bypass · Remote Code Execution (RCE) | 4 |
| Fortune | INSANE | OS Command Injection | 3 |
| Fulcrum | INSANE | Remote File Inclusion (RFI) · XML External Entity · Information Leakage · Active Directory · Brute Force / Rate-Limit Bypass · Port Forwarding / Pivoting · Server-Side Request Forgery · Remote Code Execution (RCE) | 3 |
| Jail | INSANE | Buffer Overflow (BoF / ROP) | 3 |
| Nightmare | INSANE | OS Command Injection · SQL Injection · Port Forwarding / Pivoting · Remote Code Execution (RCE) · Cross-Site Scripting (XSS) | 2 |
| Reddish | INSANE | Port Forwarding / Pivoting | 3 |
| Sink | INSANE | HTTP Request Smuggling · Information Leakage | 3 |
| Stacked | INSANE | Subdomain Enumeration · Remote Code Execution (RCE) · Cross-Site Scripting (XSS) | 3 |
| Toby | INSANE | Cracking Hashes (hashcat / John) · Port Forwarding / Pivoting | 3 |