throwback-banner

The following is my reflections and thoughts of TryHackMe’s brand new lab “Throwback”, the first implementation of their “Networks” system. Please prepare for spoilers.

I haven’t had the time nor opportunity to experience pentesting any sort of simulated network such as a Windows corporate environment, only on the sysadmin side of things - so this quite the journey.

1. A Caveat:

Whilst I have an arguably heavy footprint across TryHackMe, this review is a pure reflection of my experience in using the Throwback lab.

I had no involvement in testing nor development of the lab but I must say that I was gifted 30 days access to Throwback on its public release on the goodwill of the admins. Because of this, it’s not for me to say whether or not the price is justified - hopefully, my experience will help you decide that for yourself either way.

Editorial update - 28/09/2020: It seems like some of the issues I experienced were a re-occurring problem - namely the “vote to reset”. TryHackMe are trialing a new system and it’s great to see them act swiftly on collective community feedback.

2. My Previous Knowledge & Expectations

I think it’s worth noting that despite the completion of my degree in Cyber Security as of 2020, I’ve had no exposure to pentesting and pivoting across a simulated corporate environment - least not a lot of seat time with pentesting Windows Servers as a whole; just a lot of familiarity from my sysadmin days.

The Throwback lab has been designed to allow either a “white box” or “black box” experience, where you can follow along with the course material or set yourself free to explore. I followed a hybrid of both, a whole lotta TryHarder, and then referring back to the provided material.

3. The (not so short) TLDR;

In summary, TryHackMe Networks is an incredibly exciting addition to the platform and Throwback has showcased this well. As a room developer, the possibilities that THM Networks offers in developing future content is delightful.

Throwback, whilst having it’s initial teething issues (as could be expected when letting users loose on such a dramatic change to the platform), manages to hit the balance between the extremes of outright spoon-feeding and leaving you stranded on your own.

In credit to the developers of Throwback, they’ve remained diligent in resolving bugs from its launch and just as so to date. Albeit with that said, there are oversights in how users interact with the lab environment itself, which I’ve detailed in this post.

With that said, the lab covers an enormous range of pentesting topics and the obscure tools that revolve around these. From setting up and using a C2 framework to password spraying, pivoting and bypassing A.V, as someone who’d be the first to admit my lack of exposure about this, I felt overwhelmed but inquisitive in trying to figure out how I can use this new-found knowledge in any other pentesting engagements.

Would I recommend Throwback? If the topics listed above are new to you and/or you’ve never attacked a simulated corporate network - absolutely I do.

If this isn’t new territory for you, you may find the content refreshing, but I found the most value to me in taking the “white box” approach. Afterall, £48 for 30 days access is a very reasonable price for the nature of the machines the lab features. Though, there are long-established labs on alternate platforms if you’re looking to hone your skills.

There’s a lot of potential for THM Networks as a whole, I’m very excited to see what else is a fruition of this new feature.

4. Noting Throwback’s Intended Target Audience

It’s important to understand the skillset that the lab has been designed for. Whilst I dislike TryHackMe’s approach to rating the difficulty of content, for the most part, Throwback truly feels like its given rating of what I’d consider an “Intermediate” challenge for the THM user base.

Throwback has been designed for people with no former or little experience in pentesting a Windows domain. If you’re top x on say HTB, this Lab most likely won’t be ground breaking to you.

5. My Favourite Elements:

These features are individually trivial but collectively played a key role in making my journey throughout Throwback enjoyable.

5.1. Everything is Static

Nothing changes, and in this case - that’s a good thing. Whilst you share a subnet with a couple of other users, your subnet remains your subnet. Be it a reset or returning a day later, you’re not on a goose chase in trying to keep your notes up to date.

5.2. The Network Map

It’s a neat little novelty. Having the boxes' “pwn” state update in real-time is pretty cool indeed. There’s room for developing it, i.e. “Latest Hacker: " and other miscellaneous statistics.

Minimal but functional. Does exactly what it says on the tin, no faffing about a silly UI.

thm-throwback-network-map

5.3. Stateful Boxes

This one’s a bit of double-edged sword. I’d complain either way, and I think this is the lesser of two evils.

Your network never truly expires, it only sleeps. Boxes don’t terminate if the expiry timer isn’t extended. This is fantastic in allowing you to return to how you left it (in theory)

In practice, however, I’ve rarely found that to be the case. It’s not so enjoyable to spend a lot of time in passing a users hash and setting up your proxychains to only RDP to a terminal that’s been priv esc’d to local admin from the person before you. Thankfully that was only on one occasion, but boxes can quickly become littered with artefacts if you have noisy neighbours.

I can’t really offer a way to fix this, nor can I decide if it’s something I want changing - you can’t have your cake and eat it too.

5.4. Responsiveness

A particular gripe with the infrastructure on how instances are deployed on TryHackMe is the resources (or rather, therefore, lack of) available. This is especially true with anything Windows. I was extremely pleasantly surprised at how plentiful computing resources such as RAM is dedicated to the boxes.

Overall very responsive input (as responsive as RDP over cloud computing can be), even on a very active subnet, they hold up well.

5.5. Incredibly Approachable

I wasn’t exactly sure as to what I was letting myself in for, and to be honest, it was rewarding to reflect just how quickly I was picking up and applying he things I did two boxes ago. The balance on how the content is delivered is pretty pivotol in this. The boxes have a structured flow and build upon each other.

You’re taught how to use a tool or technique for the first time, just enough to give you the push whilst forcing you to research into it and experiment to get the job done. The next task will use some elements of the previous with a twist to keep it engaging whilst not leaving you hanging.

With 11 boxes, there’s quite a bit to chew through.

5.6. Productive OSINTing

The OSINT factor was nice, employees leak surprising amount of details about their corporation on social media / to friends and family, so I think this was a nice highlight - especially showcasing LeetLinked.

But better yet, demonstrating and having users create lists for password spraying & (a greatly designed) phising campaign genuinely made me feel like I was attacking a real domain.

6. My Criticisms as it Stands

Thankfully my experience has been relatively trouble free, I know of a few people who have had a bad bout of luck. Namely, as it stands (baring in mind this is an entire brand new type of content) there’s an unreasonable amount of potential for things to become somewhat frustrating.

6.1. That Damn “Vote Reset” System

My biggest gripe out of everything is the dependance on resetting your network. The proccess of resetting your network needs to be reworked from how it is currently. At the moment, there must be two votes for the network to be reset. Whilst this democratic approach is the best way for it, there are no means of being alerted nor able to alert other users to cast a vote in resetting other then hoping they’re present in the TryHackMe Discord and see your “Can anyone else on subnet 10.200.x.x please vote to reset because of x,y,z” request in a fast-moving chat.

From my experience, it could often be hours before you get that extra vote for a reset at times. In an environment where experimentation is rightly heavily encouraged, and in turn, the risk of things breaking exponentially increased - it’s purely down to luck it as to whether or not you’ll get a reset in 5 minutes or 5 hours.

This has the potential to be really problematic, especially as a tiny selection (but a selection nontheless) of the tasks rely on changing passwords to gain footholds onto boxes. Through no nefarious means other then just wanting to progress through the network, you in-turn deny someone else the ability to do so.

Granted, any one on your subnet could do this for all users and/or just ruin the boxes; thankfully I haven’t heard of this being done intentionally/maliciously. It’s the name of the game at the end of the day, so I can’t critisce for anything breaking due to other users.

6.2. Predictability

Towards the end of the room the content started to become predictable. Granted there’s only so many different ways to dress the same technique, pivoting was purely one-way. Whilst you have to revist a box or two that you previously pwned, it would be just that: one or two, and at that, you’d just be achieving the same PoE. I feel it’s a bit of a wasted opportunity to not have us having to revisit boxes that we thought were done with, but in actual fact, we only saw the tip of the iceberg with. I address this directly in my suggestions next.

What was somewhat disheartening was the lack of recon and active enumeration. Granted I approached the room mostly “white box”, I’d argue the case that even taking the “black box” approach, a simple nmap scan or two would tell you all that you need to know. There was nothing covered in white box about NFS, drives and the likes

7. Ideas and Suggestions

I appreciate this was the first iteration of THM networks and a beginner/junior focused lab at that. I feel like there’s a few things that really would of added to the lab’s realism and educational value.

pfSense had so, so, so much potential, it’s a shame to see it only be used to execute a php reverse shell for foothold. Of course we’re learning how to be red-teamers here, but there was no discussion let alone working against SIEM or IDS/IPS.

What also left me wanting more was the lack of encouraging and/or show casing persistence. We had the .bat for setting up an agent on Starkiller, but the furthest it went to was just executing the .bat file.

Really would of been great to see something about maintaining persistence even if it was showing that you can cause the aforementioned .bat to launch on boot or certain conditions through services or registry.

The simulation behind the phising campaign and malicious macros being opened leading to a foothold was fantastic. The boxes felt a bit scarce once you were on them. It’d be cool to see attack vectors due to mis-configuration by humans; be it open or wrongly configured shares, repetition of passwords or insecurely configured ACL’s and then on the flip side, fighting against security policies and group policy.

8. Closing Remarks

Phew, braindump over. I just want to say a huge congrats to the THM administrators, and extend an even bigger thanks to the room developers for the insane amount of hours they’ve put into making Throwback, maintaining it as it’s gone public and helping people out ever since.

I thoroughly enjoyed going through the lab, and found it incredibly informative. I personally think there’s a few things that could of been expanded on a little bit further to realy make it something else.

The sheer size of the first iteration of THM Networks would leave ways of improving things regardless, so I hope my feedback (whatever weight that holds) is taken constructively. I’ve seen how the lab has progressed since it’s release, so I’m confident that the odd issue or two that I’ve seen myself and others experience becomes rarer.

Anyhow, so long and thanks for all the fish. ~CMNatic