Back in December I wrote about having some fun on the Try Hack Me platform. The fun continued and recently I hit the milestone of 100 days.
I thought this was a good time to make a short status on my progress. Mind you that I have no specific training in this matter but just use common knowledge and my interest for security. I have been doing this in my spare time (mostly evenings and a few too late night). I have done an average of 1.75 rooms a day – some days without activity and others (like weekends) where I have done maybe 8-10 rooms.
This is my status for users from Denmark after 100 days (103 days to be precise):
I managed to become the all-time #1 for my home country Denmark after just 100 days. I hit the highest level, level 13 or [0xD] [G0D] after a little more than a month. The only higher level is the bughunter level, which is only given to people that has found 3 or more security problems in the platform itself (website, backend etc).
World-wide I was #274 out of 395.000 users and my next goal is to get onto the top100 worldwide (this will probably take another 100 days).
Everyone can be a “Hacker”
The platform is pretty easy to start using. It is free for most part, but a $10/month subscription gives you access to more rooms and faster VPN/room loading.
You can either use the built-in Attackbox, which is basically a Kali Linux running in your browser. This is usable and ok for a start, but I would recommend that you install VirtualBox and fetch a Kali linux VM image for that. This way you can install new tools and keep them between rooms. It just makes it soooo much easier.
Getting access to the rooms from your Kali VM is just a download of an openVPN config and then run a single command line to get connected. From here on you have the THM network as “local network”.
If you are new to this, then I recommend that you go for some of the training rooms, or walkthrough rooms as they are called. They give you intro to everything from tools to common ways to gain access via different attack vectors. This is good knowledge and useful for most in the techies.
Can you find the flags?
The most fun (and frustration), you fill find in the CTF (Capture the Flag) rooms. These are hack-boxes, where you need to gain access, find flags, escalate privileges. It all ends with finding a flag only accessible as root/admin (depending on OS used). Do check the difficulty level as they vary from very easy to extremely hard.
There are supposedly a few of the hard rooms that have only been finished by a 10-20 people. You would need a fair share of knowledge to get past these. I have actually tried a handful of hard rooms. These rooms can be very hard and involve multiple layers of vulnerabilities that needs to be exploited before you eventually get a foothold. From there you need to escalate privileges and this can require that you write scripts.
My many years with Linux and programming experience helps me a lot in these harder rooms. I would not expect beginners to just go in and finish them within the first 100 days.
Help and hints for you
If you need help, there is always a lot of friendly people in the related Discord server. You can go to the room-hints channel and ask for a bit of hints without getting everything spoiled. Do note however, that there is a new-room embargo. This means that you cannot ask about hints for new rooms until 72 hours after release. This is commonly called Rule13.
There is (of course) also a related subreddit /r/tryhackme where you can ask questions and discuss rooms, tools etc – similar embargo rules apply.
Good luck! Hope to see you in there.