Creating a room on TryHackMe

5 min readOct 15, 2024

TL;DR how to create a room on TryHackMe, export VMs to OVA, upload them to THM, and create questions. The room is here.

Background

I automated Heath Adam’s AD range setup in Hyper-V back when I was studying for PJTP. It was fun and a good learning experience, but I felt like PJPT left out some attacker TTPs. Therefore we created our own automated AD range setup, followed the path ourselves, troubleshot the setup, and finalized it.

I next wanted to bring that range to TryHackMe, however THM does not allow subscribers to upload more than one VM per room. Hence I borrowed some ideas from the Hyper-V setup, added a few things, and made it work off just one VM.

Setup

I created the VM in VMware Workstation first. Sadly Hyper-V lacks a builtin method to export VMs to OVA. I could not however get OVAs created in VMware to boot on TryHackMe once they were uploaded. Rather than beat my head against the wall trying to find the specific VMware version the VM should be created as, I simply installed VirtualBox and used it.

Obviously in the real world you should not allow mere Domain Users to log onto a DC. However in order to create this THM room that is exactly what I had to do. I did this by setting Group Policy as shown below. The users who are allowed to login to the VM were put in the AD group CatchAll.

Please note that ‘Access this computer from the network’ was not required for this room to function, it was only enabled for testing purposes.

‘Log on as a batch job’ is required to run a scheduled task at startup as that user. In this case Bill.Lumbergh was used to simulate a user mistyping the share drive name.

The rest of the setup was automated using a CSV file with user account details, PS1s, and Zip files of the data that goes on the room’s share drive.

The setup is available on our GitHub here.

Exporting to OVA

Once the VM is created it must be shut down and exported to OVA. Triple check that you set the VM’s NIC to DHCP first and did not leave it static.

As aforementioned I used VirtualBox for this.

TryHackMe did not give good guidance regarding any of this, hence why I bothered to write a howto on it. THM linked to some AWS docs that stated all sorts of unhelpful things like setting the Windows page file to static. Trying those tips did not help get a VMware created OVA to work on THM.

In the end the answer was simply to use VirtualBox. Just make sure you unmount the ISO used to load the OS, set the VM to DHCP if it is not already, shut it down, and export it to OVA as shown below.

Please note that ‘Include all network adapter MAC addresses’ is not the default setting in VirtualBox, so carefully select it before hitting Finish.

Uploading & using the OVA on TryHackMe

If you have not done so already, one has to go under ‘Other’ on THM and hit ‘Develop Rooms’. Once this is done you will see a ‘Develop’ button next to ‘Dashboard’, ‘Learn’, and ‘Compete’.

The OVA may take awhile to upload and convert, possibly an hour or two depending on your ISP. This is why VMware’s OVA incompatibility was so frustrating. I was creating the VM fine, but then waiting a 1 ½ hours to see if it would actually work on THM.

Once the OVA uploads and converts it shows under ‘My Materials’. One can then create a new task in a room and assign the VM to it.

The background info, questions, any hints, etc are also entered under the tasks. Once you have set them the way you want and saved it the room looks like the below.

Task 1 of 3, shown while the VM is running. I couldn’t even get this far with VMware

So why another THM AD room?

TryHackMe already has a few AD rooms, one AD focused series, and of course the Holo Live environment. However I have not seen TryHackMe, other range/lab environments, or the hands on exams I have taken cover a few topics:

Smartcards
Deny statements in DACLs
Really get into the intersection of AD & NTFS DACL abuse

Hence I wanted to bring a miniaturized version of our automated Hyper-V range to TryHackMe, and of course learn something in the process.

Summary

TryHackMe won’t let me make the room public without linking a walkthrough to it first, so I wrote one and put it here. The room is meant to be a challenge, not a class type room, so I do not recommend reading that walkthrough before trying the room. The questions I put in the room are there as hints. One can get through the room by looking specifically for the answers to the questions and using them as a guide.

The escalation path from LAN access to Domain Admin is rather winding and convoluted, so I figured hints were a good thing.

Please let me know if you like the room. Comments, feedback, and suggestions are always welcome!

References

Creating a THM room: https://medium.com/@cykn0x/so-you-wanna-create-a-room-on-tryhackme-95e6c64543ca

THM on creating a THM room: https://help.tryhackme.com/en/articles/8979423-building-a-successful-community-room-with-outc4s7

Requirements for THM Windows VMs: https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html

Maybe helpful RE VM export: https://stackoverflow.com/questions/20608310/virtualbox-error-failed-to-open-a-session-for-the-virtual-machine

Helpdesk Tiers: https://www.google.com/search?q=helpdesk+tiers&oq=helpdesk+tiers&gs_lcrp=EgZjaHJvbWUyCQgAEEUYORiABDIICAEQABgWGB4yDQgCEAAYhgMYgAQYigUyDQgDEAAYhgMYgAQYigUyDQgEEAAYhgMYgAQYigUyCggFEAAYgAQYogQyCggGEAAYgAQYogTSAQgzMzkyajBqNKgCALACAQ&sourceid=chrome&ie=UTF-8

Exporting OVAs from VMware: https://superuser.com/questions/1731481/how-can-i-export-a-vm-as-ova-with-vmware-workstation

All mere Domain Users WinRM: https://serverfault.com/questions/993482/enable-winrm-for-domain-user

Startup tasks fail without batch logon right: https://stackoverflow.com/questions/14259285/windows-task-scheduler-error-101-launch-failure-code-2147943785

AD cheat sheet: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet