Building My First Cybersecurity Home Lab
While Studying for PJPT
I broke my lab multiple times. I nuked Kali mid-session, I misconfigured Metasploitable so badly it became unreachable, I accidentally exposed a vulnerable VM to my main network. Every time, I reverted to a clean snapshot and started over.
And honestly? That's where most of the learning happened.
This is the real story of how I set up my first cybersecurity home lab when I was studying for the Practical Junior Penetration Tester (PJPT) certification from TCM Security. I still use the same setup today β it's evolved, but the core is the same.
Why I Chose PJPT Over Other Certs
Most beginner cybersecurity certs are theory-heavy. You memorise definitions, pass a multiple-choice exam, get a certificate, and still don't know how to actually hack anything. PJPT from TCM Security is different β it's a 24-hour practical exam. You have to compromise a target. No multiple choice. No memorisation shortcuts.
Heath Adams (The Cyber Mentor) built TCM Security with the philosophy that you learn by doing. The Practical Ethical Hacking course that comes with PJPT prep is probably the best beginner pentesting course I've seen β it's dense, it's hands-on, and it actually teaches you to think like an attacker.
But the course assumes you have a lab to practice in. So I built one.
The Setup: Proxmox as the Foundation
I had been running Proxmox already (more on that in my Proxmox nodes post), so the obvious move was to create a dedicated lab environment as isolated VMs. No risk to my main network, easy snapshots, quick resets when things break.
Network Isolation: Non-Negotiable
Before spinning up any vulnerable VM, I created a completely isolated network in Proxmox β a Linux bridge with no uplink. Nothing in the lab VLAN can reach the internet or my main LAN. Metasploitable and DVWA are intentionally vulnerable β you do not want those reachable from anywhere except your Kali machine.
Kali Linux on Proxmox
I downloaded the Kali Linux QCOW2 image (the pre-built VM version) from the official Kali site. This is faster than installing from ISO β it's ready to boot in minutes.
In Proxmox:
- Create a new VM with UEFI firmware, 4 vCPUs, 8GB RAM
- Import the QCOW2 disk:
qm importdisk <vmid> kali.qcow2 local-lvm - Set the imported disk as the boot disk
- Attach it to the isolated bridge (not the main one)
- Boot, run
kali-tweaks, install any missing tools
The first thing I did after booting Kali: take a clean snapshot. This became my "nuclear option" β the baseline state I could always revert to if I completely broke something. Which I did. Repeatedly.
Metasploitable 2: The Perfect First Target
Metasploitable 2 is a Linux VM that's deliberately full of vulnerabilities. It's what TCM Security's course uses for practising exploitation. Import the VMDK into Proxmox:
# Convert VMDK to qcow2 first
qemu-img convert -f vmdk -O qcow2 metasploitable.vmdk metasploitable.qcow2
# Import into Proxmox
qm importdisk <vmid> metasploitable.qcow2 local-lvmPut Metasploitable on the same isolated bridge as Kali. That's the only connection it needs.
What I Practiced on Metasploitable
TCM Security's course walks you through the methodology: reconnaissance β scanning β exploitation β post-exploitation. Here's the actual workflow I ran every session:
# Step 1: Discover the target
netdiscover -r 192.168.100.0/24
# Step 2: Full port scan
nmap -sC -sV -oN metasploitable_scan.txt 192.168.100.x
# Step 3: Identify services β Metasploitable has a lot
# vsftpd 2.3.4 (backdoor), Samba, distcc, UnrealIRCd...
# Step 4: Exploit with Metasploit
msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.100.x
runThe vsftpd backdoor exploit was the first shell I ever got on a target. It felt absurd how easy it was β and that's exactly the point. Real systems run old services. Real admins don't patch quickly enough.
DVWA: Web App Practice
DVWA (Damn Vulnerable Web Application) runs as a PHP/MySQL app. Rather than setting it up from scratch, I used the pre-built DVWA Docker container on a simple Ubuntu CT in Proxmox:
docker run -d -p 80:80 vulnerables/web-dvwaDVWA has difficulty levels (Low, Medium, High). I started on Low to understand how SQL injection, XSS, and command injection work, then moved to Medium to understand how defences can be bypassed. The TCM course covers this systematically.
The Snapshot Habit That Saved Me
The single most valuable habit I built was snapshot before every major session or change. In Proxmox, snapshots are instant and take almost no space if you're using ZFS or thin-provisioned LVM.
Specific situations where snapshots saved me:
- Broke Kali's network stack trying to set up a custom routing rule β reverted in 30 seconds
- Ran an exploit against Metasploitable that crashed the VM and left it unresponsive β reverted
- Accidentally deleted Kali's
/etc/hostsfile while following a tutorial β reverted - Updated Kali and a tool broke β reverted to pre-update snapshot, kept studying
# Create snapshot in Proxmox CLI
qm snapshot <vmid> "clean-baseline-kali" --vmstate 1
# List snapshots
qm listsnapshot <vmid>
# Rollback
qm rollback <vmid> clean-baseline-kaliclean-baseline for the fresh install snapshot, pre-[thing] before anything risky, working-[date] when things are good and stable. Never delete clean-baseline.
Active Directory Lab (The Hard Mode)
Once I got comfortable with Metasploitable, TCM Security's course moves into Active Directory attacks β which is where real enterprise pentesting lives. I set up a mini AD lab:
- Windows Server 2019 as the Domain Controller (free evaluation ISO from Microsoft)
- Two Windows 10 VMs as domain-joined workstations
- All on the same isolated lab VLAN
- Kali as the attacker, same VLAN
The AD lab is where I learned about LLMNR poisoning, SMB relay attacks, Pass-the-Hash, and Kerberoasting. This is the material the PJPT exam actually tests. If you're doing PJPT, don't skip the AD section.
Tools I Actually Used (Not Just the Full List)
Every "Kali tools" post lists 100+ tools. Here's what I actually ran regularly while studying PJPT:
- Nmap β every single session, first tool always
- Metasploit β exploitation framework, module-based workflow
- Wireshark β packet analysis, LLMNR capture, understanding what's happening
- Responder β LLMNR/NBT-NS poisoning for credential capture
- CrackMapExec β AD enumeration and lateral movement
- Impacket β Python toolkit for all things AD (secretsdump, psexec)
- Hashcat β cracking captured hashes
- Burp Suite β web app proxy for DVWA work
Getting the PJPT Cert
The PJPT exam is a real target. You have 48 hours to compromise a network and 48 hours to write the report. The exam tests actual skill β can you enumerate, find a foothold, move laterally, and document your findings like a professional pentest report?
Building the home lab was the preparation. The lab gave me a safe space to mess up, learn from it, and develop the muscle memory for the tools and methodology. By the time I sat the exam, the workflow felt natural.
I still use the lab now β I just add new targets and scenarios as I learn new techniques. It's never really "done." That's the point.