So let us see the approach you should consider when creating a room :

Setting Up A Base Plan :

The first and the foremost step is to decide what your room will be about, decide on the domains it will be covering. This can be Web Application Security, Reverse Engineering, Malware Analysis etc.

TryHackMe allows you to make your room either of the two types :

Guided : This means that your room will be having a guided approach for answering the given questions. Generally, room creators will prefer this type if they wanna teach a certain topic to the participants.

Challenge : This means that your room will be of a challenge type and most commonly room creators will prefer this type if they want participants to approach and solve the room through their own ways rather than helping them with any sort of guided tasks.

Once you decide the type of room you would like to make, you should plan about the difficulty level you would like to implement in the box. If your room is a guided one, my suggestion would be to make the difficulty level between easy to medium if you are teaching a certain topic and if it is a Challenge type you can keep any difficulty level you’d like to have.

Here Is A Quick Suggestion From The Official Docs Of TryHackMe :

Easy :

• Full guidance

Medium :

• Some guidance, general direction provided
• User will likely have to do some research to determine how to use the presented tool
• Ex: Final step in Vulnversity

Hard :

• No guidance
• Trial and error required as some tools may fail
• Often the first option presented might not work

Choose whether your room should be public or private, the main difference here is that in case you choose the room to be public it will undergo a review process by the TryHackMe moderators where if it gets accepted it will be available for everyone to join and solve the room. If you choose the room to be private it will stay a private meaning only a select few will be able to access the machine, this type is ideal if you are creating the room for any demonstrations or sharing with your connections. You can read more about it from the official docs.

Choosing The Type Of Material :

The next step is to decide the type of material you will be using in the tasks of your room, there are 2 types of materials you can use :

File-Based : If you choose to use file-based material in the tasks you will let your room users download the files uploaded for them to solve and answer the tasks. Generally, you should prefer this type of material if the task involves any challenges which can be solved by the user in their local machine and are of lesser size like in case of steganography based challenges.

VM-Based : If you choose to use VM-based material you essentially provide a Virtual Machine instance to the user which they can access through a Private IP by initializing their OpenVPN connection first. The Operating Systems which are allowed by TryHackMe include Windows, Ubuntu, RedHat, SUSE, CentOS, Debian, Oracle, Fedora. You can find the specifically allowed versions of the same from https://tryhackme.com/upload.

NOTE :

• TryHackMe has certain requirements when it comes to using Windows VMs since their Infrastructure runs on AWS. Make sure that you check out the AWS conversion requirements first before working on any windows VM.

• It’s suggested that if you are working on Ubuntu VMs you should choose the server-based ISOs rather than Desktop ones because they can cause an issue during conversion (personally faced this issue while uploading one such VM).

Here Are Some Suggested Versions You Should Try Out For The VM Creation : :

Windows :

• Windows 7 (Home, Professional, Enterprise, Ultimate)
• Windows Server 2019
• Windows 10 (Home, Professional, Enterprise, Education)
• Microsoft Windows Server 2016

Linux :

• Ubuntu 18.04.5 Server Image
• CentOS 8.2

Note : It is advised that you run linPEAS (for Linux) / winPEAS (for Windows) on your virtual machine first to search for possible privilege escalation paths that could be exploited in order to fix existing vulnerabilities on the VM if you want to avoid unintended solutions on your room. You can find these tools from their Github repository.

Deciding The Challenges To Add

In this step, you have to decide the Challenges you would like to have for your room and setting up an entry point for the users to make their way into the machine. If it is a challenge-based room you should prefer looking out for some CVE based challenges which you can use for the users to get the initial access to the target machine and then add up some sort of privilege escalation for gaining root access. Place a flag at the initial access point as well as for the root user which the player can submit. If your challenge involves any brute-forcing make sure that it doesn't takes more than 5 minutes to finish.

In case of a guided-based room, there is no specific recommendation since the topics a room creator can teach to the users through rooms are very diverse and it should be up to the room creator to decide the approach they will have for the users to solve their rooms.

Setting Up The Tasks

The next step is to set up the Tasks for the room. If you are planning to have a Guided room make sure that the tasks are having a guided approach for the users to start from the base and move their way up to exploitation or any topic that you are planning to teach the users. If the room is of the Challenge type then it is not required to place any guided tasks in the room since it is up to the users on how they can approach the target machine.

Make sure that you set up not more than 15 questions because more questions would require explicit approval from the admins.

How Did I Create My First Ever Room On TryHackMe?

So a few months back I had created my first room on TryHackMe, its name is Bolt and currently has around 2500+ users out of which around 2100 users completed all of the tasks.

I had downloaded a fresh copy of the Ubuntu Server 18.04.5 ISO and wanted the room to focus on Web Application security. I did a quick google search for finding some RCE related vulnerabilities in CMSs and found the Bolt CMS. It had an authenticated remote code execution vulnerability in the version 3.7.0. Then I searched for the vulnerable version of the CMS and found their Github repository which had the version tag in the releases I was looking for.

While setting up the CMS I faced certain dependency related issues but a few google searches helped me in fixing them in no time. The last thing for me to do was placing the flag somewhere in the VM which the user could find after exploiting the vulnerability and so I placed it in the Home directory.

Now since my VM was finally ready, I started to create the room tasks for my room. Since it was of the guided type, I had to design the tasks in such a way that it creates a path for the users to follow from initial recon to exploitation.

Some of the things I focused on while creating the tasks are :

• Enumeration of services running on the target machine
• Letting users analyse the information present on the homepage
• Guiding them to look for correct directories to use the credentials they got from the earlier step
• Finding the CMS version running on the target machine
• Looking up for available exploits related to that version
• Using the exploit for making their way into the target machine

Suggestions By The Room Creators and Staff At TryHackMe

"My rule of thumb is to figure out your killchain before you start. Difficulty is abstraction-based primarily and how many rabbit holes are present." - by Darkstar7471

"I try and link the initial access and privesc with some sort of story, like Overpass. Usually I have a single idea I’d like to build out and I build the story around that. I keep notes of initial access and privesc so that I have a little pool to work from if I have something I want to build. Increasing the difficulty usually means doing something more obscure (Mindgames) or a harder technique like BoF, pivoting, or security measures working against you. A good technique is building in horizontal movement to add a bit more depth." - by NinjaJc01 (James)

"Focus on creating easy-medium difficulty level machines first if you are new to room creation. Usually the entry points to the virtual machines are through web-based challenges or service exploitation based challenges so try to put more emphasis on either of that while creating the initial challenges and make sure they aren’t similar to the existing rooms, focus on unique ideas!" - by Mr.Holmes

"My one biggest piece of advice would be to sit down and plan it out fully first. Make sure it’s all in order before you actually get started. Play into your strengths; if you’re good at web dev, do that as an entry point (or maybe even the privesc!). If you’re good at systems administration, do some network exploitation. Think about what you’ve seen already and see if you can find out how to make it new and different. No one likes doing the same thing over and over again (we have rules about that for public room submissions as well). Try to make it unique. Puzzles are good, but don’t overdo them — and try not to use the same trick twice. For example, gobusting 15 times gets boring real fast. I’d suggest always trying to have at least one privesc — unless your entry point is really unusual and/or very difficult to pull off. Difficulty usually comes from things being new. I can do a typical CTF box (things like stego, encoding, etc) in about 5–10 minutes. It’s new things that catch people’s interest, so try really hard not to do the same thing that you’ve seen before. Make it your own, and think about how you could get a new angle on things — that’s what makes it difficult: new things. Again, the entry point is a matter of personal preference. The one thing I would say about room creation — the most important takeaway — is that it should always be about teaching. I’ve personally got a bit of a reputation for being sadistic with challenges, and yes, I am, but the goal is still always to teach. Whether it’s a walkthrough or a challenge, you should always be thinking about “what can people learn from doing this.” If everything in the box is common knowledge then it might be time to sit down and rethink a few things." - by MuirlandOracle

"Once again, it depends on the challenge or walkthrough you sare making. In some cases, privesc is not required or can be made easy if the room is mainly focused on other vulnerabilities.Create an original challenge, that would not replicate anything you have done before or anything that is well known to the infosec community. The best idea is to isolate yourself from known exploits and try to focus on artificially creating vulnerabilities yourself. For example, making a login page with a misconfigured SQL query will give you an SQL Injection challenge ready to be exploited. Applying filters to that login page will increase the difficulty as people will have to research and invest more time into solving those challenges. Also, no matter what challenge you are making, try to keep it as close to reality as possible. The most common approach to hacking is replicating yourself on the position of the developer and guessing possible weaknesses and mistakes they could have made. A hidden directory is not a new thing and cannot be intuitively guessed, meaning that your challenge will ultimately turn into a ‘poke around until you find the flag’ challenge." - by Swafox

Conclusion

This brings us to the end of this article, I hope that it gave you a brief idea about how to start with room creation on TryHackMe. If you still have any doubts or queries, I would suggest you to check out Darkstar’s talk on Room Creation at the SARCON 2020 event it is a great talk giving a good level of information for creating challenging, educational and enjoyable vulnerable virtual machines. Also please do check the official docs by TryHackMe, they have explained everything in a very clear manner and it can help in clearing your doubts.