I Built a Hacking Home Lab for ₹0 — Here's Exactly What I Set Up and How

By Amardeep Maroli  |  May 20, 2026  |  Home Lab, Ethical Hacking, Beginner Setup  |  17 min read

Home About Contact

Six months ago, I was stuck. I had been doing TryHackMe labs and reading PortSwigger theory, but I wanted something more — a space I fully controlled, where I could practice attack techniques, break things completely, and learn from the mess without worrying about someone else's lab timing out or a platform going down.

I also had no money to spend on cloud labs, dedicated hardware, or paid practice environments.

So I spent a week figuring out how to build a complete ethical hacking home lab on my existing laptop — a 2019 HP with 8GB RAM and 256GB SSD, which is about as average a student laptop as exists — using only free, open-source software. I'm going to walk you through exactly what I built, in the order I built it, including the mistakes I made and what they cost me in time.

This setup is what I use every day. It costs nothing ongoing. It works on hardware from 2015 or newer. And it lets me practice skills that directly translate to real penetration testing work.

Legal reminder before anything else: A home lab is a controlled environment you own and operate yourself. Everything described here involves attacking machines you control on your own private network. This is legal, ethical, and the correct way to practice. Never use any of these techniques on systems you don't own or have explicit written authorisation to test.

What this guide covers:

1. My actual hardware — what I'm running this on
2. The foundation: VirtualBox and network setup
3. The attacker machine: Kali Linux setup
4. The target machines: DVWA, Metasploitable, VulnHub VMs
5. The full lab architecture — how everything connects
6. What I practice and in what order
7. Mistakes I made and how to avoid them
8. How to expand the lab as your skills grow

My Actual Hardware — What This All Runs On

My Setup (Nothing Special)

• Laptop: HP 15s, i5 8th Gen, 8GB RAM, 256GB SSD — bought second-hand
• Operating System: Ubuntu 22.04 LTS (dual-booted with Windows)
• Internet connection: Standard BSNL Fiber broadband — no dedicated lab network
• Cost of lab setup: ₹0 (all software free and open source)
• Storage used by the lab: ~80GB across all virtual machines

If your laptop has 8GB RAM and 100GB free storage, you can run this exact setup. 4GB RAM is workable but slow — you can run one VM at a time rather than two simultaneously. 6GB+ is comfortable. This is not a hardware problem; it is a software configuration problem, and software configuration is free.

Step 1 — The Foundation: VirtualBox and Network Architecture

1

Install VirtualBox — Your Lab's Foundation

VirtualBox (virtualbox.org) is a free, open-source hypervisor — software that lets you run multiple operating systems simultaneously on your main laptop. Each virtual machine (VM) is a completely isolated computer running inside your real computer, sharing its hardware resources.

Why VirtualBox over alternatives: VMware Workstation (paid for full features), Hyper-V (Windows only), and UTM (Mac only) all have limitations for free use. VirtualBox runs on Windows, Linux, and Mac, is completely free, and is more than sufficient for a learning lab.

• Download VirtualBox from virtualbox.org (the main installer + the Extension Pack, both free)
• Install VirtualBox first, then install the Extension Pack (adds USB 3.0 support and other features)
• Default installation settings are fine — no custom configuration needed at this stage

The critical network setup: After installation, go to VirtualBox → File → Host-Only Network Manager and create a new Host-Only network. This creates an isolated private network that exists only between your VMs and your main laptop. Your attack machine and target machines will communicate on this network — completely isolated from your real internet connection and home router. This isolation is important both for learning and for safety.

2

Set Up Kali Linux — Your Attacker Machine

Kali Linux is the industry-standard penetration testing operating system — it comes pre-installed with hundreds of security tools. This is your attack machine: the VM you will operate from when practicing offensive techniques against your target VMs.

• Download: kali.org/get-kali → choose "Virtual Machines" → VirtualBox version. This downloads a pre-configured .ova file — no manual Linux installation required.
• Import: VirtualBox → File → Import Appliance → select the downloaded .ova file. Takes 10-15 minutes.
• Allocate RAM: Right-click the imported VM → Settings → System → set to 2048MB (2GB). Leave your main OS 2GB+ for itself on an 8GB machine.
• Network setting: Settings → Network → Adapter 1: set to "Host-Only Adapter" and select the Host-Only network you created. This connects Kali to your isolated lab network.
• Default credentials: Username: kali, Password: kali. Change the password immediately after first boot.

First thing after boot: open a terminal and run sudo apt update && sudo apt upgrade -y. This updates all tools to their current versions. Takes 15-30 minutes and is worth doing before anything else.

Step 2 — The Target Machines: What You'll Actually Attack

A lab without targets is just Kali sitting in a virtual machine doing nothing. The targets are intentionally vulnerable applications and operating systems — built specifically to be attacked so you can practice techniques legally. Here are the three I use, in order of how I set them up:

🌐

DVWA — Damn Vulnerable Web Application

FreeTargetBeginner

DVWA is a deliberately vulnerable PHP/MySQL web application — it has intentionally broken versions of every major web vulnerability: SQL injection, XSS, CSRF, file inclusion, command injection, and more. Each vulnerability has difficulty levels (Low/Medium/High/Impossible) so you can practice the basic version first, then work through defences to understand what stops the attack.

Setup: Download the DVWA Docker image (the easiest setup method in 2026) or the DVWA VirtualBox appliance from GitHub. I run it via Docker on my host machine for simplicity — Docker Desktop is free and DVWA spins up with a single command.

# After installing Docker Desktop:
docker pull vulnerables/web-dvwa
docker run -d -p 80:80 vulnerables/web-dvwa
# Then visit http://localhost in your browser
# Default login: admin / password

Why I use this every week: DVWA is where I translate PortSwigger theory into muscle memory. After studying a vulnerability type in PortSwigger, I immediately practice the same technique in DVWA's Low difficulty before moving to Medium. The gap between reading about SQL injection and actually executing it closes fast here.

🐍

Metasploitable 2 — Vulnerable Linux Server

FreeTargetIntermediate

Metasploitable 2 is a deliberately vulnerable Ubuntu Linux server VM, created by Rapid7 (the Metasploit company) specifically for security training. It runs intentionally outdated, misconfigured services — FTP with known vulnerabilities, a broken Samba share, vulnerable web applications, an exploitable IRC daemon, and much more.

Setup: Download from SourceForge (search "Metasploitable 2 download") — it's a .zip containing a pre-built VirtualBox VM. Import it, set its network adapter to the same Host-Only network as Kali, and boot it. Default credentials: msfadmin / msfadmin.

What I practice here: Network scanning with Nmap, service enumeration, using Metasploit to exploit known CVEs against real services, privilege escalation. This VM has 20+ exploitable vulnerabilities — you could spend months here without running out of learning opportunities.

My first successful "root" of a machine happened on Metasploitable. The feeling of getting a root shell on a machine for the first time — even a deliberately vulnerable VM — is something that changes how you understand what "hacking" actually means technically.

🏔️

VulnHub VMs — When You're Ready for Real Challenges

FreeTargetIntermediate+

VulnHub (vulnhub.com) hosts hundreds of community-created vulnerable VMs — each one a mini CTF (Capture the Flag) challenge. Unlike DVWA and Metasploitable, VulnHub machines are challenge-format: you're given no hints about what vulnerabilities exist, and you must find and exploit them yourself. This closely mimics real penetration testing engagements.

Where to start: Filter by difficulty "Beginner." My first three VulnHub machines: "Kioptrix Level 1" (classic beginner machine), "Basic Pentesting 1," and "Mr-Robot" (based on the TV show — enormous fun). Each is available as a free .ova download.

VulnHub machines were where I first understood what professional penetration testing actually looks like. There is no guided path — you enumerate, you think, you research, you exploit. The first time you root a VulnHub machine without a writeup is when you genuinely understand that you can do this.

Step 3 — The Complete Lab Architecture

Here's how all the pieces connect in my working setup:

## My Home Lab Network Diagram ##

[Host Laptop - Ubuntu]
    ├── VirtualBox Host-Only Network: 192.168.56.0/24
    │
    ├── [Kali Linux VM] — IP: 192.168.56.101 (Attacker)
    │      Adapter 1: Host-Only (lab network)
    │      Adapter 2: NAT (internet access for updates)
    │
    ├── [Metasploitable 2 VM] — IP: 192.168.56.102 (Target)
    │      Adapter 1: Host-Only ONLY (no internet — isolated)
    │
    └── [DVWA via Docker] — Accessible at localhost:80
          Accessible from Kali via host IP on lab network

# VulnHub VMs: added temporarily when practising, removed after

Important network rule: Target VMs (Metasploitable, VulnHub machines) should only have Host-Only networking — no internet access. This prevents any accidental outbound connections from compromised VMs. Kali has a second NAT adapter for internet access when you need to update tools or research exploits, but your targets stay isolated.

What I Actually Practice in This Lab — Daily and Weekly

Web Application Attacks (DVWA) SQL injection manual and automated (sqlmap), XSS (stored and reflected), CSRF, file upload bypass, command injection. Low → Medium → High difficulty progression.

Network Enumeration (Metasploitable) Nmap scan variations, service fingerprinting, banner grabbing, identifying vulnerable service versions, port enumeration methodology.

Exploitation (Metasploit Framework) Searching CVEs, selecting and configuring modules, payload selection, getting reverse shells, post-exploitation enumeration. All against Metasploitable.

Full Methodology (VulnHub) Recon, enumeration, vulnerability identification, exploitation, privilege escalation, documentation. End-to-end pentesting workflow on realistic targets.

Burp Suite Practice Intercepting requests to DVWA, modifying parameters, using the Intruder for brute force, Repeater for manual testing, Scanner (limited in Community edition).

Privilege Escalation After getting initial shells on Metasploitable or VulnHub VMs, practice escalating to root using SUID binaries, sudo misconfiguration, kernel exploits, and cron jobs.

Mistakes I Made Building This Lab (Learn From Them)

🚫 Don't Do These

• I gave Metasploitable a NAT adapter "just in case." A deliberately vulnerable machine with internet access is a security risk on your network. Targets should be Host-Only only. I learned this after reading about people who ran Metasploitable openly on their home network and found unexpected incoming connections.
• I allocated too much RAM to VMs and starved my host OS. With 8GB total, giving Kali 4GB left only 4GB for Ubuntu — everything slowed to a crawl. Rule: host OS gets half, VMs split the rest. Kali runs fine at 2GB for most tasks.
• I tried to run too many VMs simultaneously. Kali + Metasploitable + a VulnHub machine simultaneously on 8GB RAM caused constant freezing. Run Kali + one target at a time. Snapshot the target VM's clean state before attacking so you can restore it without re-downloading.
• I didn't use VirtualBox snapshots. A snapshot saves the entire VM state — disk and memory — at a point in time. Take a snapshot of every target VM in its clean, not-yet-attacked state. When you brick it or complete the challenge, restore the snapshot and start fresh. I re-downloaded Metasploitable twice before I discovered snapshots.
• I jumped to VulnHub machines before mastering DVWA. VulnHub beginner machines are significantly harder than DVWA Low/Medium difficulty. Trying them too early leads to frustration. Spend at least two weeks with DVWA before moving to VulnHub.

How to Expand the Lab as Your Skills Grow

The setup above covers the first 3-6 months of learning. When you're ready to go further:

• Add a Windows Server VM (free evaluation license): Microsoft provides 180-day evaluation versions of Windows Server at no cost. Adding a Windows target lets you practice Active Directory attacks — a major component of real-world corporate penetration testing. Active Directory exploitation (Kerberoasting, Pass-the-Hash, BloodHound) is one of the highest-demand pentesting skill areas.
• Add a second Kali or Parrot OS as a "defender" machine: Practicing detection and blue-team skills alongside offensive skills makes you a more complete security professional and improves your understanding of how attackers evade detection.
• Download purpose-built vulnerable app VMs: VulnHub's "WebGoat" (OWASP's deliberately vulnerable Java web app), "Juice Shop" (modern vulnerable Node.js app from OWASP — has API vulnerabilities), and "HackTheBox Starting Point" machines are all worth adding progressively.
• Set up a documentation habit: Keep a Notion page or markdown files documenting every machine you attack — your methodology, what you found, what worked, what didn't. This becomes your portfolio and your memory. The machines blur together without documentation.

The thing nobody tells you about home labs: The lab itself teaches you nothing. What teaches you is the struggle of figuring out why something isn't working, why a tool produces unexpected output, and why an exploit fails on a real-looking target that it worked on in theory. The frustration is the learning. Budget time for confusion — it is not a sign you're doing it wrong.

Related Guides on This Blog

• >How to Learn Cybersecurity for Free — Complete 2026 Roadmap
• >Penetration Testing Career Guide — Tools, Certifications, and How to Start
• >OWASP Top 10 — What You'll Practice in DVWA and PortSwigger
• >SQL Injection Guide — Practice This First in Your DVWA Lab

About the Author

Amardeep Maroli

MCA student from Kerala, India. I built this exact lab on a second-hand laptop and use it every day. TechWithAmardeep is my learning journal — I write what I figure out so others don't spend the same hours I did on the same mistakes.

All Posts GitHub Telegram Contact

Home Lab Setup — FAQs

Can I build this lab on a laptop with only 4GB RAM?

Yes, but with constraints. With 4GB RAM you cannot run two VMs simultaneously — you'll need to run Kali and your target machine one at a time by suspending one while the other runs. DVWA via Docker on your host machine works well as a web target without consuming a separate VM's RAM allocation. The core learning is still fully accessible; the workflow is just slightly more manual. A practical workaround: use TryHackMe's browser-based labs for network scanning practice and save your local lab for web application testing where DVWA works well within RAM limits.

Is it safe to run Metasploitable on my home network?

Only if it is isolated on a Host-Only network as described above. Metasploitable is designed to be exploited — it has deliberately broken security on every level. On a Host-Only network, it is only accessible from your VMs and your host machine, not from the internet or other devices on your home WiFi. The mistake to avoid: accidentally setting Metasploitable to "Bridged" networking, which would expose it directly to your home network. Always verify the network adapter setting before starting a vulnerable VM. Host-Only only for all targets.

Why use Kali Linux instead of just installing tools on Windows?

Two reasons. First, most professional security tools are built for Linux and work best or exclusively there. Nmap, Metasploit, Burp Suite, Wireshark, sqlmap, Gobuster, Hydra — all run on Kali without any configuration. Installing equivalent versions on Windows is often complex, slower, and has compatibility issues. Second, the industry uses Linux-based environments for security work. Learning Kali alongside security techniques means you're building skills in the same environment professionals use — including the command-line workflows, file structures, and tool configurations. You could use Parrot OS or BlackArch as Kali alternatives; both are free and excellent. Kali has the most tutorials and community resources, which matters when you're troubleshooting at 11pm.

How long until I can root my first Metasploitable machine?

If you follow the order: TryHackMe Pre-Security path → TryHackMe Nmap room → TryHackMe Metasploit room → set up lab → attack Metasploitable — most people get their first shell within 1-2 weeks of having the lab set up. Metasploitable is intentionally easy — the services are running obvious, well-documented vulnerabilities with Metasploit modules that work reliably. The purpose is not to be challenging; it's to give you a successful experience in a controlled environment before you move to actual challenges. If you're struggling, the TryHackMe "Metasploit" room walks through the exact workflow on a similar environment.