1 of 35

Making the Mountain

A guide to creating challenging, educational, and enjoyable vulnerable virtual machines.

2 of 35

Introducing vulnerabilities into computers and knowing exactly how to give your sysadmin(s) a heart attack.

3 of 35

whoami

Pentester @ State Farm
Content Director and Community Manager @ TryHackMe
InfoSecLib Lead

4 of 35

Original Article

https://blog.tryhackme.com/making-the-mountain/

5 of 35

The heck is a ‘TryHackMe’

6 of 35

Intro

7 of 35

Why should I do this?

Learn a ton

Setup
Testing
Exploitation
Failure

Make a name for yourself

Vulnhub is a great example here
Boxes are resume items

Earn some cash

CTF Events
TryHackMe Creators Program

8 of 35

Drawing up the Treasure Map

As we get started, let's first think about what exactly we're looking to accomplish. Are we aiming for an educational box or a challenge (CTF) box? This is important to know ahead of time as it will dramatically influence the course of creating your box and the amount of 'acceptable flaws' which it can have. Difficulty is also to be kept in mind at this point, however, this is to a somewhat lesser extent.

Decided on the purpose of the box? Great! Let's move into creating the base structure of the box: the kill chain. While this does vary slightly between educational and ctf boxes, the overall goal is the same: create a map of how accomplish the main goal of the machine. In pentesting and challenge boxes, this is typically a map of the boot to root process in which you go from being an unprivileged outsider to fully controlling the machine in question. Within the scope of educational boxes/rooms, this is a general overview of the topics you wish to teach and a rough path of how you will teach them either through associated questions/worksheets provided with the box or through various steps necessary in completing the box. Let's take a look at how this might be accomplished through a viewpoint of both a CTF box and an education box.

9 of 35

Core Concepts

Know your Audience

Who is this for?
Difficulty

Tell a story

10 of 35

Who is your Audience

Educational

Students

Capture the Flag

Intermediate to Advanced

Competitive/King of the Hill

Competitive people, advanced

11 of 35

Difficulty

Abstraction

How many rabbit holes are there
How much is there to do in front of each step

Guidance

How much wiggle room do you give your users

Two open ports versus fifteen ports

Timeframe

Competitive and Restricted vs. Education Environment

Tools in Use

Metasploit or No Metasploit/Custom Exploitation
Just how many tools are in use

12 of 35

Tell a Story

Creation of a skeleton outline

Entry point
Privesc

Give yourself and your audience a roadmap

13 of 35

Warning!

Spoilers ahead!

14 of 35

Blue (Educational)

15 of 35

Killchain

Goal: Introduction to Exploitation
Recon

Open ports and services

Gain Access

ms17-010

16 of 35

Going Up & Crackalackin

Escalation

Unnecessary, demonstration of migration

Cracking

Hashdump > John/Hashcat

Flags!

Non-standard but in common loot locations

17 of 35

Ignite (CTF)

18 of 35

Killchain

Goal: Boot to root
Enumeration

Discovery of FuelCMS
Enumeration of running version

Expanded Discovery

FuelCMS RCE Exploit via ExploitDB

19 of 35

The root part

Exploitation

User flag from Exploit DB RCE

Privilege Escalation

Shared root password with db root user in config

20 of 35

Core Structure

Enumeration/Discovery
Foothold/User
Local Enumeration
Privilege Escalation
Root

21 of 35

Competitive

King of the Hill

One box, many users attacking it within a set timeframe
Initial start as a red focus with attacking
Blue team and defending once you’ve secured ‘king’

Essentially just a CTF box with many routes

One route per user
Separation of users appropriately

22 of 35

Defining and Hitting your Target

23 of 35

The Differences

Toolset

Exploit DB vs Metasploit

Detail

Narrowing the path
Being a sherpa

Expanded Scope

Waste not want not

24 of 35

Design Highlights

Manage your difficulty level

Keeping the ‘path’ narrow

Research what you’re using

Find the ‘gotchas’ before they find you

Kernel flaws

Patching!

Keeping the box ‘current’

25 of 35

More Design Highlights

Make your killchain

Having the write-up first

Giving yourself a guide

Well it was a normal installation until...
‘Connect the Dots’
Reward your advanced users

Building your box starts like a normal OS installation might. Sometimes this might include selection of a specific operating system version, however, it's worth keeping in mind the idea of unintended escalation paths. For example, certain operating systems might have services installed and enabled by default (i.e. SSH, CUPS) which can lead to unintentional ways in which the system may be accessed. Additionally, you may occasionally run into a situation where a version of an operating system may have a flaw which you have not accounted for. At the time of writing, a common instance of this is Linux kernel exploit allowing for privilege escalation. While awareness of these items comes commonly with practice in building boxes, it's worthwhile to do some research into the operating system you are picking to avoid any common pitfalls.

26 of 35

Putting it All Together

27 of 35

Tools of the Trade

Hypervisor

ESXi vSphere
Virtual Box
VMware Player/Workstation

Exploit DB

“Shopping for exploits”
Looks for applications which are downloadable

28 of 35

Finishing Up

29 of 35

Checking every box (Literally and Figuratively)

history | /dev/null
Remove the fluff
Patch the rest
Avoid password escalation
Easter eggs

Link command execution history to /dev/null or it's equivalent. This will prevent users from finding actions others have taken on the system and/or discovering how you built the system.
Remove any unnecessary packages. This can both serve to reduce any escalation paths you may not be aware of and to reduce distractions on the machine. Sometimes it can be hard for a user to see the forest through the trees and having excess packages installed can be confusing, especially if you didn't want there to be many rabbit holes on the box.
Update everything you can. Generally speaking, this is going to make escalation clearer for the user and it's going to reduce again any unintended exploits.
If you don't want users to crack your password, don't make it crack-able. You also shouldn't reuse any of your own personal passwords for obvious reasons.
Have fun with it. Adding a particularly hard to find secret can be incredibly rewarding to discover.

30 of 35

Tolerances

CTF

Unpredictability
Path of least resistance

Educational

Guided
Detail of material matters significantly

Tolerances shifted in this aspect

Maintenance Considerations

31 of 35

Polishing Up

Testing

Issue documentation
Remediation vs Annotation

Conversion to OVA
Upload and Release

32 of 35

Extras

Offline Releases/Availability
Worksheets
Supporting Material
How Users Get Help

Discord
Email
Twitter

33 of 35

“Pro-Tips”

Use examples

Learn from established boxes
All of my rooms are cloneable, use them as a starting point if need be
Understand how and why these are put together

Start at your hardest step

I.E. Entrypoint is a web application which is really tricky to set-up

Get feedback

Have your friends test it

Don’t be afraid to mess up

34 of 35

Common Questions

How long does it take to make a box?

Taking good notes can help here immensely

How do I start?

Defining a killchain

Networked/Multipart Boxes

Good documentation
Docker is awesome

35 of 35

Questions?

Twitter @darkstar7471

Slides available at https://darkstar7471.com