Forgotten Implant on TryHackMe – Learning Experience Design

On July 28th, 2023, TryHackMe released my second TryHackMe room, Forgotten Implant, to the public!

Forgotten Implant is a cybersecurity learning experience that challenges learners to “use a forgotten C2 implant to get initial access” to a machine. Doing so, the room forces learners to break up their usual pattern of port scanning and enumeration, requiring them to monitor network traffic for signals of the machine calling them.

While the room’s GitHub repository holds all the information about the room, I am writing this article to highlight a few key considerations regarding the room’s Learning Experience Design (LXD).

A key reason for doing this is that, in my opinion, the cybersecurity education space needs to put more effort into educational questions and facilitating dialog between educators. Given that cybersecurity education is thriving and there have been many great projects and improvements over the last few years, it is time to take educational aspects (e.g., didactics, methods, approaches, etc.) more seriously. This includes being more open and transparent – both with regard to learners and other educators – about the design, goals, etc. of our learning experiences.

As I have also written about my first TryHackMe room, Hamlet, this article will be focused on LXD. Feel free to also look at the Hamlet article for additional insights on TryHackMe and the idea of CTF rooms more generally.

Forgotten Implant on TryHackMe

TryHackMe is an innovative and largely community-driven platform for cybersecurity education. At the core of TryHackMe’s educational model are so-called rooms. A room is a self-contained learning experience that allows learners to engage with materials (including assessments) and, more importantly, virtual machines.

Generally speaking, there are challenge rooms with varying difficulty (CTFs) and so-called walkthrough rooms, essentially short and guided online courses.

Forgotten Implant is a challenge room of medium difficulty according to the TryHackMe scale. Learners are confronted with a vulnerable machine and have to gain access as well as elevate their privileges to root. In doing so, they can collect two flags that serve as evidence for achieving initial access and privilege escalation.

The unique thing about Forgotten Implant is that the machine has no open ports. However, after am initial port scan, the machine will connect back to the system running the scan, i.e., the learner. Here, the room simulates a “forgotten” Command and Control (C2) implant, trying to establish a reverse connection.

Hence, to gain initial access, learners will have to identify the incoming network traffic, reverse the custom C2 protocol, and leverage the reverse connection and C2 capabilities of the implant. Once they are on the machine, learners will need to leverage stored credentials and a vulnerable phpMyAdmin to move laterally. Finally, they can escalate privileges to root by leveraging overly lenient sudo rights.

Solving these challenges, most likely building their own C2 interface along the way, learners are both acquiring as well as demonstrating a series of competencies (see Learning Objectives). From this perspective, CTF rooms might be considered a form of Problem-Based Learning (PBL), where learners solve a (more or less) real-world problem.

In order to follow along with the LXD considerations, a general understanding of the room and its challenges beyond this introduction might be helpful. If you do not want to give it a go yourself, you can have a look at the official walkthrough.

Learning Experience Design Considerations

In the following, I will discuss some of the LXD considerations made during the development and testing of Forgotten Implant. Of course, this is not a comprehensive discussion; I am only going to highlight some aspects that I consider particularly relevant for designing rooms like this.

In doing so, I will follow a constructive alignment approach, trying to match learning objectives with learning activities as well as the assessment. Finally, I am also going to briefly discuss the importance of immersion and storytelling and (User Acceptance) Testing.

Learners and Prerequisites

Forgotten Implant has been designed as a learning experience for intermediate and experienced hackers. While beginners can do it, it will be a stretch and require a lot of learning and tinkering. On TryHackMe, based on feedback gained during User Acceptance Testing, the room is ranked as medium. That said, some testers ranked the room as more difficult. Hence, I would argue that the room is at the top end of medium on TryHackMe.

From a technical perspective, as a prerequisite, learners need to have…

  • foundational knowledge about Command and Control (C2)
  • foundational knowledge about networking and HTTP
  • foundational knowledge about Linux
  • some experience using Wireshark or similar tools
  • some experience finding and leveraging public exploits

That said, challenge rooms are an ideal opportunity to build new competencies along the way and as you need them to solve the challenge. However, as outlined above, some foundational knowledge and experience are extremely helpful in order to get started. This is especially important as Forgotten Implant, purposefully, cannot be solved by only relying on the standard CTF methodology.

Learning Objectives

Forgotten Implant has a series of learning objectives. While most of them are geared toward more technical competencies (e.g., reversing a protocol), the room also highlights that we are often faced with idiosyncratic and custom systems and protocols that force us to go beyond our established methodologies and approaches.

Hacking your way through this room, you will learn how to …

  • use tools like Wireshark to monitor network traffic.
  • use HTTP, Base64, and JSON in the context of a simple HTTP client-server architecture.
  • reverse engineer a simple C2 protocol.
  • build a simple C2 interface using Python in order to interface with a C2 implant.
  • leverage stored credentials in order to move laterally.
  • exploit phpMyAdmin (4.8.1) using a public RCE exploit.
  • leverage sudo and PHP in order to escalate privileges.

That said, there is also an overarching educational goal:

To solve the room, learners need to think outside the box and abandon their established CTF methodology. Both during testing as well as post-launch, learners struggled with the fact that there are no open ports and even reported the room to be broken. The usual CTF methodology – e.g., heavily relying on (automated) scans and enumeration – does not work here, and learners are supposed to go beyond the tried and tested. Similarly, several learners attempted to use existing C2 frameworks to establish a connection before realizing that they are facing a custom solution for which no interfaces are publicly available.

Ultimately, a key educational goal of Forgotten Implant is to sensitize learners to less common approaches and custom solutions (e.g., a custom C2 framework) as well as the need to adapt to unknown situations.

Learning Activities

Of course, the primary learning activity of Forgotten Implant is hacking through the machine and solving challenges along the way. However, I consider engaging with the community and writing, in the broadest sense, as additional learning activities.

The Forgotten Implant Room (VM)

As I said above, the primary learning activity is going through the Forgotten Implant virtual machine, gaining initial access and exploiting a series of vulnerabilities in order to ultimately become root.

While the experience is intentionally linear, learners choose how they will tackle the different challenges. For example, the foothold phase, i.e., interacting with the C2 implant, can be solved using a very simple file-based solution. However, learners, and they did so, can also design and develop a fully-fledged interface for the implant.

Developing such a custom C2 interface is an interesting and possibly creative learning experience of its own. For example, some learners have reported that they were able to solve the challenge using ChatGPT, building a C2 interface without much programming experience.

Similarly, there are two ways of solving the lateral movement part of the room. While using the phpMyAdmin RCE exploit is the intended path, some learners leveraged misconfigured rights on a folder to move forward (see, e.g., noncenz’s article).

This flexibility allows learners to focus on different competencies and allows both less and more experienced learners to gain something from the experience.

The Rooms Page on TryHackMe

I also want to briefly mention the importance of the room’s page on the platform.

TryHackMe allows room designers to create tasks, provide materials, do formative assessments, etc. In the case of Forgotten Implant, I have not made heavy use of this opportunity, but the TryHackMe website is a fairly capable Learning Management System (LMS) that can be used by designers.

That said, Forgotten Implant makes use of the hint feature, which allows learners to get a text-based hint if they are stuck. During testing, we realized that many learners would get frustrated due to the fact that they were not able to find any open ports. Hence, for the initial stage, the hint reads: “Your port scan is not misleading you.”

While this is a very simple feature, it allows us to provide some helpful scaffolding for learners who need it. I also particularly like the feature because it allows learners, at least to some degree, to take control over how much help they want in solving the challenge. The opportunity to get help when needed cannot be overstated with regard to motivation and lowering the risk of learners getting overly frustrated.

Of course, the room page greatly influences how the room and the learning experience are perceived and tackled. For example, TryHackMe has decided to change the room’s logo during the co-creative design process. While the initial, definitely less refined, logo only had the name of the room, the final logo contains two hints: It hints towards the directionality of the connection, and it points out the protocol (HTTP) in use. Hence, the new logo is not just more aesthetically pleasing, but it also serves as an instrument to somewhat lower the difficulty of the room.

The Community (aka. Discord)

TryHackMe provides a community experience for each new room. For new rooms, they open up a Discord channel and a forum thread for learners and creators to ask and answer questions as well as to discuss the room.

For challenge rooms, there is a 72-hour period during which no hints etc. should be discussed so that learners, within the gamified TryHackMe environment, have a fair chance of being one of the first to solve the challenge. This period, during which learners are supposed to work on the challenge on their own, does not just protect the integrity of the challenge but also encourages learners to keep trying as they have very limited hints available to them. Of course, that is if learners are sticking to it!

That said, the community – especially the Discord channel – is a fantastic learning activity and opportunity of its own. Learners share their experiences and ask as well as answer questions. This is particularly helpful for learners who are struggling or are right at the edge of their current capabilities. The community allows them to get exactly the right amount of hints or guidance whenever they need them. I have seen the Discord channel act almost as a tutor more than once!

Furthermore, the Discord allows for one-to-one coaching and tutoring. During the first days of the challenge being live, several learners approached me, as well as others, for help and guidance. If I have the time, I guide them toward solving the challenge independently, providing small hints or allowing them to go over their methodology and reasoning together. This can really be a co-creative learning process as it allows me, as the learning experience designer, to get a glimpse of their challenges, questions, and ultimately their learning process. For the learners, it is an opportunity to solve the challenge one step at a time while being guided by a more experienced person able to provide valuable insights.

Of course, as already pointed out above, the Discord is a great place to get feedback for your own rooms. Engaging with learners going through the experience is a great opportunity for LXD and also can be a lot of fun. To me, the Discord channels are an integral part of the learning experience, and I believe it to be absolutely worthwhile to facilitate the discussions, to answer questions, and to get feedback.

The (Community) Walkthroughs and Write-Ups

Closely linked to the chat and forum are community walkthroughs and writeups. Within the CTF community, it is common to do writeups of the challenges one has solved. While these often take written form (e.g., blog posts), many learners also produce videos or even livestream their attempts.

Documenting one’s path through a room is a learning activity, and possibly an assessment, in itself. Creating and publishing a writeup or even a walkthrough, effectively creating a learning experience for others, provides a unique opportunity to reflect on one’s approach, to recapitulate what has been learned, and to make learning visible for oneself and others. Of course, they are also a great opportunity for learners to showcase their competencies.

As of writing this article, I was able to find eight written walkthroughs/write-ups as well as six videos for Forgotten Implant. For the learning experience designer, this also provides a unique opportunity as they provide an insight into how learners have experienced and solved the challenge.

Of course, they also serve as a valuable resource for other, possibly less experienced, learners. Walkthroughs enable learners to grasp the concepts, methodologies, tools, and strategies required to successfully solve the challenge while also seeing firsthand how others are approaching such a challenge.

Hence, from the perspective of the learning experience designer, encouraging and promoting community walkthroughs and writeups is very important. Therefore, I actively collect and promote community submissions. I have also incorporated interesting findings from community members in the official write-up and documentation, highlighting that learning is a co-creative endeavor.

The Behind the Scenes GitHub Repository

Finally, I want to highlight the associated GitHub repository. It holds comprehensive information about the room’s design, challenges, and solutions. The repository also offers insights into the development process, hopefully making it a valuable resource for both learners and educators interested in designing their own challenges.

Of course, this also ties in with my argument in the introduction to this article: We need to professionalize cybersecurity education even further, and educating each other, especially as educators, is a crucial part of this

Assessment

The primary assessment for Forgotten Implant is extremely straightforward: Learners hack through the room and find two flags, i.e., files with hash values in them that they can submit to the platform. Submitting the so-called user flag shows that they successfully accessed the machine using the C2 interface. Submitting the root flag, they prove that they have successfully escalated their privileges. In addition to finishing the learning experience this way, within the gamified TryHackMe environment, learners get experience points for submitting these flags.

In a way, creating and submitting a writeup or walkthrough might be another form of assessment. While learners are free to publish their writeups or walkthroughs wherever they want, they can also submit them to the platform. In this case, the room creator has to accept them for publication on the room page. While this is by no means mandatory, it allows learners to showcase their work. Furthermore, if the room creator takes their task seriously and reviews the submissions, this is also a chance for learners to have their work reviewed.

Immersion and Storytelling

Immersion, essentially suspending disbelief and experiencing a virtual environment as real, is often considered an essential and promising avenue in designing learning experiences. An immersive learning experience does not only allow for a different experience but also, for example, might drive motivation.

For example, many video games provide a high level of immersion – as a player, I am “entering” the virtual world in which I am then being immersed. This can be highly motivating and fun because I am really experiencing the game, the narrative, the world, etc.

Without going into too much detail, immersion is not binary but gradual. While there are highly immersive experiences (e.g., using Virtual Reality), even some basic storytelling can make a learning experience more immersive and engagning.

However, “[i]mmersion requires faithful reproduction of at least part of the real environment” (Wagner and Liu 2021). In the context of CTF rooms, one way of achieving immersion – to a certain level – is to provide an experience that could be real or that is inspired by reality. This allows learners to see and experience the CTF as a real-world challenge, as something that might be real. Of course, this can be supported by (ambient) storytelling, for example, building machines that feel somewhat real and support the narrative.

Forgotten Implant is not a great example of this approach, but has some aspects of storytelling. The machine learners need to compromise, assuming a logical world in which the challenge is set, has already been compromised by someone. If this was not the case, there most likely would not be a C2 implant in play.

Of course, this assumption may change how learners would approach the challenge: They know that the machine, at some point, has been compromisable. They also know that the security posture of the fictional organization running this machine is not very strong – otherwise, such a blatant implant would not have been overlooked. Furthermore, they might assume that other actors are still at play and that these actors, who initially planted the implant, have left more things on the machine.

In the case of Forgotten Implant, such considerations do not play a large role. Once a learner has gained initial access, the environment in which they find themselves is inspired by reality but very much stripped down. For example, learners need to acquire stored credentials from a database application. The application is clearly too simple to be real, but the general premise – someone has left credentials in the configuration of an application – is plausible.

While in the case of Forgotten Implant these considerations are not necessary to be successful, as learning experience designers, we need to be aware of how the narrative changes and drives learner behavior. While this can be utilized to guide learners, it is also very easy to, unintentionally, design rabbit holes or frustrating experiences based on (reasonable) assumptions by learners who have yet to learn the full story of the challenge.

I have consciously designed Forgotten Implant to be relatively straightforward and linear. The complexity of the challenge lies in the unusual initial access as well as the mirrored approach (now, there is a port to find) during lateral movement, not in the complexity of the machine and the things on the machine. Forgotten Implant was designed to be, at its core, very simple: Reverse the protocol, gain access, use stored credentials and and off-the-shelf exploit, and leverage some misconfigurations.

As discussed above, we need to keep in mind that the narrative and the information provided (e.g., the name Forgotten Implant) will set expectations and possibly drive learner behavior. Hence, a more immersive and story-driven second stage could have been a privilege escalation using what the previous attackers had left on the machine.

(User Acceptance) Testing

TryHackMe, commendably, performs quite substantial User Acceptance Testing (UAT) for all of its public rooms, including those submitted by the community. While this might seem like a nuisance, especially if you want to finally publish a room, it is a crucial step in ensuring good and high-quality experiences for the learners.

During UAT, which only happens after an initial review and enhancement iteration, a series of experienced learners (TryHackMe community members) attempt to solve the room and provide feedback as well as questions in a private Discord channel. The learning experience designer is present and can ask as well as answer questions. Based on the UAT, the room is further improved before it gets greenlit for publication.

In the case of Forgotten Implant, the testing process, including UAT, revealed some interesting technical problems (e.g., other users interfering by scanning the machine) as well as insights into the level of difficulty. For example, adding an additional hint to the initial phase of the challenge was a direct result of the tester’s feedback.

Conclusion

While this was only a glimpse into some of the LXD considerations, this article is meant to show some of the complexities of designing engaging cybersecurity learning experiences.

From an educational perspective, Forgotten Implant is very straightforward: It is a challenge room with two flags serving as assessment twith a twist in its first phase.

However, based on learner feedback, it achieves its goals. Multiple learners have reported that the room made them reconsider their methodology because they were challenged by the fact that their go-to approach did not work. Also, looking at the user-submitted writeups and walkthroughs, the room offers ample opportunity – especially with regard to developing a custom C2 interface – to experiment, even for more experienced learners.

As I have stressed the importance of writeups and walkthroughs, an interesting idea could be to publish the room as a walkthrough, fully utilizing the TryHackMe LMS. This walkthrough version of the room could introduce some more fundamental concepts and, for example, guide learners through the process of reversing the C2 protocol.