The TryHackMe VPN Problem

30 de octubre de 2021 - TryHackMe


Following the recent discovery of pentesting and red team content creator on Twitch and Youtube S4vitar, as he demonstrated in the following video:

It was uncovered with facts that users connected to the TryHackMe VPN who were in the same region, i.e. had this parameter in the ‘Access’ section the same:

Región VPN TryHackMe

They would have connectivity with each other. This fact alarmed the Ethical Hacking community, as many people were unaware of it and had just realized that they were never safe.

Below is an example visualizing the problem:

TryHackMe VPN connections

Unlike its main competitor, in HackTheBox this does not happen, the segmentation means that all users do not have connectivity with each other, except for the activities that require it, and everything is well organized.


/ / / CAUTION / / /

The use of this script assumes that the network you are on is already secured because it only secures VPN traffic, in case you are on a public site where you have no control, please modify it according to the circumstances.

/ / / CAUTION / / /

From all this problem, I created a script with iptables rules since it seems that TryHackMe excuses itself and does not pretend to fix the problem.

The Github repository is here:

Next, I will explain the rules, how the script is executed, what to do to get everything back to the way it was before and other cases where there may be doubts.

We will be breaking them down by blocks to explain them in broad strokes.

In case you want to save the ones you already have as backup to restore them once the practices are finished on the platform, you can execute the following:

And to put everything back to the way it was at the beginning, simply execute:

Once this is done, you would have everything back as if you had not used it.

To begin with, the block called ‘IPv4 flush‘ cleans the ‘filter‘, ‘mangle‘ and ‘nat‘ tables, deletes all the rules and sets the counters to zero, and specifies that the default policy is to accept everything so that you can browse and so on without having to touch the firewall.

The next block is ‘IPv6 flush‘, which does the same as the previous one, except that it has the default policy set to DROP, which means that all IPv6 connections are not accepted and that no IPv6 connections leave our computer.

We continue with ‘Ping machine‘, this block enables ICMP packets that enter or go to the machine through the VPN and blocks all those that do not come from or go to that IP.

So you would not have ICMP connectivity with other users either.

Finally, we have the ‘Allow VPN connection only from machine‘ block, which, as its name suggests, does the same as the ICMP block but with TCP and UDP connections.

So you will only have connectivity with the machine you want to practice with. In case you are wondering what would happen if two people deploy the same machine, TryHackMe is supposed to offer a different target IP each time someone deploys a victim machine, so if we do not share that IP, there would be no problem.

It is recommended to deploy the machine first and once we have the IP, run the script as follows:

Once the script is executed, we check that the rules have been applied:

And then we will be able to execute the VPN file with peace of mind.

So the final VPN connectivity scheme would look like this after the deployment of the machine.

TryHackMe VPN restrictions

The other main problem is the ‘attackbox‘, it is the name of the machines used in TryHackMe to practice against targets on the platform as if it were your virtual machine.

This machine has connectivity to all regions, subnets and premium networks, you can see the link with VNC username and password, so if someone got it, they could enter the TryHackMe network without even being connected. simply with direct connection via web.

Added to this, you could launch attacks on other websites or other users and be harmed, which presents a greater risk.

The premium machines, if someone deploys them and gives you the IP, the subscription filtering is not done and you could use it, etc.

In short, you can still practice on TryHackMe, but secure your environment first.

The first step is my script, the second is your awareness, and the third is getting hands-on.

Tagged as:  /  /  /  /  /  /  / 

Play Cover Track Title
Track Authors