Forgotten Implant on TryHackMe – Learning Experience Design

On July 28th, 2023, TryHackMe released my second TryHackMe room, Forgotten Implant, to the public. Forgotten Implant is a cybersecurity learning experience that challenges learners to “use a forgotten C2 implant to get initial access” to a machine.

While the GitHub repository holds all the information about the room, I am writing this article to highlight a few key considerations regarding the room’s Learning Experience Design (LXD).

A key reason for doing this is that, in my opinion, the cybersecurity education space needs to put more effort into educational questions. Given that cybersecurity education is thriving and there have been many great projects and improvements over the last few years, it is time to take educational aspects (e.g., didactics, methods, approaches, etc.) more seriously. This includes being more open and transparent – both with regard to learners and other educators – about the design, goals, etc. of our learning experiences.

As I have also written about my first TryHackMe room, Hamlet, this article will be focused on LXD. Feel free to also look at the Hamlet article for additional insights on TryHackMe and the idea of CTF rooms more generally.

Forgotten Implant on TryHackMe

TryHackMe is a innovative and largely community-driven platform for cybersecurity education. At the core of TryHackMe’s educational model are so-called Rooms. A room is a self-contained learning experience that allows learners to engage with materials (including assessments) and, more importantly, virtual machines.

Generally speaking, there are challenge rooms with varying difficulty (CTFs) and so-called walkthrough-rooms which are essentially short and guided online courses.

Forgotten Implant is a challenge room of medium (TryHackMe scale) difficulty. Learners are confronted with a vulnerable machine and they have to gain access as well as elevate their privileges to root. Doing so, they can collect two flags that serve as evidence for having achieved initial access and privilege escalation.

The unique thing about Forgotten Implant is that there are no open ports on the machine. However, after a port scan, the machine will connect back to the system running the scan, i.e., the learner. Here, the room simulates a “forgotten” C2 implant trying to establish a reverse connection. Hence, to gain initial access, learners will have to identify the incoming network traffic, reverse the C2 protocol, and leverage the reverse connection and C2 capabilities of the implant. Once they are on the machine, learners will need to leverage stored credentials as well as a vulnerable phpMyAdmin in order to move laterally. Finally, they can escalate privileges to root by leveraging overly lenient sudo rights.

Solving these challenges, most likely building their own C2 interface along the way, learners are both acquiring as well as demonstrating a series of competencies (see Learning Objectives). From this perspective, CTF rooms might be considered as a form of Problem-Based Learning (PBL), where learners are solving a (more or less) real world problem.

In order to following along with the LXD considerations, a general understanding of the room and its challenges beyond this introduction might be helpful. If you do not want to give a go yourself, you can have a look at the official walkthrough.

Learning Experience Design Considerations

In the following, I am going to discuss some of the LXD considerations made during the development and testing of Forgotten Implant. Of course, this is not a comprehensive discussion; I am only going to highlight some aspects that I consider particularly relevant for designing rooms like this.

In doing so, I will follow a constructive alignment approach, trying to match learning objectives with learning activities as well as the assessment. Finally, I am also going to briefly discuss the importance of immersion and storytelling as well as User Acceptance Testing.

Learners and Prerequisites

Forgotten Implant has been designed as a learning experience for intermediate and experienced hackers. While beginners can absolutely do it, it will be a stretch and require quite a bit of learning and tinkering. On TryHackMe, based on feedback gained during User Acceptance Testing, the room is ranked as medium. That said, some testers ranked the room as more difficult. Hence, I would argue that the room is at the top end of medium on TryHackMe.

From a technical prerequisite, as a prerequit, learners need to have…

  • foundational knowledge about Command and Control (C2)
  • foundational knowledge about networking and HTTP
  • foundational knowledge about Linux
  • some experience using Wireshark or similar tools
  • some experience finding and leveraging public exploits

Learning Objectives

Forgotten Implant has a series of learning objectives. While most of them are geared toward more technical competencies (e.g., reversing a protocol), the room also highlights that we are often faced with idiosyncratic and custom systems that force us to go beyond our established methodologies and approaches.

Hacking your way through this room, you will learn how to …

  • use tools like Wireshark to monitor network traffic.
  • use HTTP, Base64, and JSON in the context of a simple HTTP client-server architecture.
  • reverse engineer a simple C2 protocol.
  • build a simple C2 interface using Python in order to interface with a C2 implant.
  • leverage stored credentials in order to move laterally.
  • exploit phpMyAdmin (4.8.1) using a public RCE exploit.
  • leverage sudo and PHP in order to escalate privileges.

That said, there is also an overarching educational goal:

In order to solve the room, learners need to think outside of the box and break with their established methodology. Both during testing as well as post launch, learners struggled with the fact that there are no open ports and even reported the room to be broken. The usual CTF-methodology – e.g., heavily relying on (automated) scans – does not work here and learners are supposed to go beyond the tried and tested. Similarly, a number of learners attempted to use existing C2 frameworks in order to establish a connection.

Ultimately, a key educational goal of Forgotten Implant is to sensitize learners for less common approaches and custom solutions (e.g., a custom C2 framework) as well as the need to adapt.

Learning Activities

Of course, the main learning activity of Forgotten Implant is hacking through the machine and solving challenges along the way. However, I do consider engaging with the community as well as writing, in the broadest sense, as additional learning activities.

The Forgotten Implant Room (VM)

As I said above, the primary learning activity is going through the Forgotten Implant virtual machine, gaining initial access and exploiting a series of vulnerabilities.

While the experience is intentionally linear, learners chan choose how they are going to tackle the different challenges. For example, the foothold phase, i.e., interacting with the C2 implant, can be solved using a very simple file-based solution. However, it learners, and they did so, can also design and develop a fully-fledged client. Developing a custom C2 client is an interesting and possibly creative learning experience of its own. For example, some learners have reported that they were able to solve the challenge using ChatGPT, building a C2 client without much programming experience.

Similarly, there are two ways of solving the laterl movement part of the room. While using the phpMyAdmin RCE exploit is the intended path, some learners leveraged misconfigured rights on a folder to move forward (see, e.g., noncenz’s article).

This flexibility allows learners to focus on different competencies and allows both less and more experienced learners to gain something from the experience.

The Rooms Page on TryHackMe

I also want to briefly mention the importance of the room’s page on the platfom.

TryHackMe allows room designers to create tasks, provide materials, do formative assessments, etc. In the case of ForgottenImplant, I have not made heavy use of this opportunity, but the TryHackMe website is a fairly capable Learning Management System (LMS) that can be used by designers.

That said, Forgotten Implant makes use of the hint feature which allows learners to get a text-based hint if they are stuck. During testing, we realized that many learners would get frustrated due to the fact that they were not able to find any open ports. Hence, for the initial stage, there is a hint that reads: “Your port scan is not misleading you.”

While this is a very simple feature, it allows us to provide some helpful scaffolding for learners who need it. I also particularly like the feature because it allows learners, at least to some degree, to take control over how much help they want in solving the challenge.

Of course, this page has a huge influence on how the room and the learning experience is perceived and tackled. For example, during the co-creative design process, TryHackMe has decided to change the room’s logo. While the initial, definitely less refined, logo only had the name of the room, the final logo contains two hints: It hints towards the directionality of the connection and it points out the protcol (HTTP) in use.

The Community (aka. Discord)

TryHackMe provided a community experience for each new room. For new rooms, they open up a Discord channel as well as a forum thread for learners and creators to discuss. It is noteworthy that for challenge rooms there is a 72-hour period during which no hints etc. should be discussed so that learners, within the gamified TryHackMe environment, have a fair chance of being one of the first to actually solve the challenge. This period during which learners are supposed to work on the challenge on their own, does not just protect the integrity of the challenge, but also encourages learners to keep trying as they have very limited hints available to them. Of course, that is if learners are sticking to it!

That said, the community – especially the Discord channel – is a fantastic learning activity and opportunity of its own. Learners share their experience and ask as well as answer questions. This is particularly helpful for learners who are struggling or are right at the edge of their current capabilities. The community allows them to get exactly the right amount of hints or guidance. I have seen the Discord channel act almost as a tutor more than once!

Furthermore, the Discord allows for one-to-one coaching and tutoring. During the first days of the challenge being live, a number of learners approached me for help and guidance. If I have the time, I try to guide them towards solving the challenge on their own, providing small hints or allowing them to go over their methodology and reasoning. This can really be a co-creative learning process as it allows me, as the learning experience designer, to get a glimpse of their challenges, questions, and ultimately their learning process.

Of course, as already pointed out above, the Discord is a great place to get feedback for your own rooms. Engaging with learners going through the experience is a great opportunity for LXD and also can be a lot of fun. To me, the Discord channels are an integral part of the learning experience, and I believe it to be absolutely worthwhile to facilitate the discussions, to answer questions, and to get feedback.

The (Community) Walkthroughs and Write-Ups

Closely linked to the chat and forum are community walkthroughs and write-ups. Within the CTF community, it is common to do write-ups of the challenges one has solved. While these often take written form (e.g., blog posts), many learners also produce videos or even live stream their attempts.

Documenting one’s path through a room is a learning activity, and possibly an assessment, in itself. Doing a write-up or even a walkthrough, effectively creating a learning experience for others, provides a unique opportunity to reflect on one’s approach, to recapitulate what has been learned, and to make learning visible for oneself and others.

As of writing this article, I was able to find eight written walkthroughs/write-ups as well as six videos for Forgotten Implant. For the learning experience designer, this also provides a unique oppotunity as they provide an insight into how learners have experienced and solved the challenge.

Of course, they also serve as a valuable resource for other, possibly less experienced, learners. The walkthroughs enable learners to grasp the concepts, methodologies, tools, and strategies required to successfully solve the challenge while also seeing firsthand how others are approaching such a challenge.

Hence, from the perspective of the learning experience designer, encouraging and promoting community walkthroughs and write-ups is very important. Therefore, I actively collect and promote community submissions. I have also incorporated interesting findings from community members in the official write-up and documentation, highlighting that learning is a co-creative endeavor.

The Behind the Scenes GitHub Repository

Finally, I want to hightlight the associated GitHub repository. It holds comprehensive information about the room’s design, challenges, and solutions. The repository also offers insights into the development process, hopefully making it a valuable resource for both learners and educators interested in designing their own challenges.

Of course, this also ties in with the argument I have made in the introduction to this article: We need to professionalize cybersecurity education even further, and educating each other, especially as educators, is a crucial part of this.

Assessment

The primary assessment for Forgotten Implant is extremely straightforward: Learners hack through the room and find two flags, i.e., files with hash values in them that they can submit to the platform. Submitting the so-called user flag shows that they successfully accessed the machine using the C2 interface. Submitting the root flag, they prove that they have successfully escalated their privileges. In addition to finishing the learning experience this way, within the gamified TryHackMe environment, learners get experience points for submitting these flags.

In a way, creating and submitting a writeup or walktrough might be another form of assessment. While learners are free to publish their writeups or walkthroughs, they can also submit them to the platform. In this case, the room creator has to accept them for publication on the room page. While this is by no means mandatory, it allows learners to showcase their work. Furthermore, if the room creator takes their task seriously and reviews the submissions, this is also a chance for learners to have their work reviewed.

Immersion and Storytelling

Immersion, essentially suspending disbelief and experiencing a virtual environment as real, is often considered an essential and promising avenue in designing learning experiences. An immersive learning experience does not only allow for a different experience but also, for example, might drive motivation.

For example, many video games provide a high level of immersion – as a player, I am “entering” the virtual world in which I am then being immersed. This can be highly motivating and fun because I am really experiencing the game, the narrative, the world, etc.

Without going into too much detail, immersion is not binary but gradual. While there are highly immersive experiences (e.g., using Virtual Reality), even some basic storytelling can make a learning experience more immersive. However, “[i]mmersion requires faithful reproduction of at least part of the real environment” (Wagner and Liu 2021).

In the context of CTF rooms, one way of achieving immersion – to a certain level – is to provide an experience that could be real or that is inspired by reality. This allows learners to see and experience the CTF as a real-world challenge, as something that might be real. Of course, this can be supported by (ambient) storytelling, for example, building machines that feel somewhat real and support the narrative.

Forgotten Implant is not a great example of this approach, but has some aspects of storytelling. The machine learners need to compromise, assuming a logical world in which the challenge is set, has already been compromised by someone. If this was not the case, there most likely would not be a C2 implant in play.

Of course, this assumption might change how learners would approach the challenge: They know that the machine, at some point, has been compromisable. They also know that the security posture of the fictional organization running this machine is not very strong – otherwise, such a blatant implant would not have been overlooked. Furthermore, they might assume that other actors are still at play and that these actors, who initially planted the implant, have left more things on the machine.

In the case of Forgotten Implant, such considerations do not play a large role. Once a learner has gained initial access, the environment in which they find themselves is inspired by reality but very much stripped down. For example, learners need to acquire stored credentials from a database application. The application is clearly too simple to be real, but the general premise – someone has left credentials in the configuration of an application – is plausible.

I have consciously designed Forgotten Implant to be relatively straightforward. The complexity lies in the unusual initial access as well as the mirrored approach (now, there is a port to find) during lateral movement, not in the complexity of the machine and the things on the machine. Forgotten Implant was designed to be, at its core, very simple: Reverse the protocol, gain access, use stored credentials and and off-the-shelf exploit, and leverage some misconfigurations.

That said, as learning experience designers, we should keep in mind that the narrative as well as the information provided (e.g., the name Forgotten Implant) will set expectations and possibly drive learner behavior. Hence, a more immersive and story-driven second stage could have been a privilege escalation using what the previous attackers had left on the machine.

(User Acceptance) Testing

TryHackMe, commendably, performs quite substantial User Acceptance Testing (UAT) for all of its public rooms, including those submitted by the community. While this might seem like a nuissance, especially if you want to finally publish a room, it is a crucial step in ensuring good and high-quality experiences for the learners.

During UAT, which only happens after an initial review pand enhancement iteration, a series of learners attempt to solve the room and provide feedback as well as questions in a private Discord channel. The learning experience designer is present and can ask as well as answer questions. Based on the UAT, the room is further improved before it gets greenlit for publication.

In the case of Forgotten Implant, the testing process, including UAT, revealed some interesting technical problems (e.g., other users interfering by scanning the maschine) as well as insights into the level of difficulty. For example, adding an additional hint to the initial phase of the challenge was a direct result of the tester’s feedback.

Conclusion

While this was only a glimpse into some of the LXD considerations, this article is meant to show some of the complexities of designing engaging cybersecurity learning experiences.

Forgotten Implant, from an educational perspective, is very straightforward: It is a challenge room with two flags serving as assessment that has a twist in its first phase. However, also based on learner feedback, it achieves its goals. Multiple learners have reported that the room made them reconsider their methodology because they were challenged by the fact that their go-to approach did not work. Also, looking at the user-submitted writeups and walktroughts, the room offers ample opportunity – especially with regard to developing a custom C2 interface – to experiment, even for more experienced learners.

As I have stressed the importance of writeups and walkthroughs, and interesting idea could be to publish the room as a walkthrough, fully utilizing the TryHackMe LMS. This walktrhough version of the room could introduce some more fundamental concepts and, for example, guide learners through the process of reversing the C2 protocol.