This article will explain how our network works, what users can expect from this functionality, and general advice on how users can practice good security hygiene.

Virtual Machine(Machine/VM) = Software that allows you to run multiple operating systems within your system. For example, VMware or VirtualBox

Attackbox/Attack Machine = The machine you use to attack the TryHackMe infrastructure.

Target/Task/Room Machine/VM = The machine you are attacking or, in some cases, using instead of the Attackbox for a specific task.

This article aims to answer the following questions:

How does TryHackMe work? How am I able to interact with these virtual machines? How can I better troubleshoot networking issues within TryHackMe's environment?
​

Understanding why/how you can interact with these VMs is crucial to your learning experience.
TryHackMe has set up a private network hosted in the cloud to allow you to learn in a safe environment with hands-on labs. Our virtual machines are part of this same private network, enabling you to interact with them, even without internet access on your Attackbox.
​
TryHackMe's private network uses IP addresses in the following ranges:

If you are doing a room where the target machine runs a website on port 80 and has the IP 10.10.118.211, you can only access this website through your browser if your machine is on the same network as the target VM. Since your Attackbox is already connected to the same network (because it's deployed from the same network), you can type http://10.10.118.211 in your Attackbox browser, which should load the website.
​
​
​

However, if you are using your computer or virtual machine, typing that IP in your browser will result in an error since your computer is part of a completely different private network and can't communicate with the target IP address. This is where the VPN comes in handy!
​

TryHackMe uses OpenVPN to allow users to communicate with machines used for their practical cyber security training. Users connecting via the OpenVPN service will be assigned an IP address. This allows our system to locate and identify your machine.
​

Since machines started in labs are intentionally made to be vulnerable (to practice hacking and defending), and we want users to practice hacking within a safe environment, they're only accessible on the TryHackMe network through either the VPN connection or AttackBox (and are not publicly accessible). A brief diagram of this is shown below:

This communication channel is bi-directional, meaning data can be sent and received on the network. Many scenarios on TryHackMe rely on this bi-directional communication channel, for example, when using reverse shells.

TryHackMe's OpenVPN is configured only to send traffic through the VPN when accessing vulnerable machines and nothing else. This means when you browse the internet, the traffic does not get sent through the VPN; only traffic on 10.10.*.* is forwarded through the VPN.

Since it is possible to reach users' VPN IP addresses, it may be possible for other users to scan these IP addresses. This does not mean that users can be hacked. It merely means that if you are running a service (e.g. a Python web server, an FTP server) intended to be accessed by vulnerable machines, other users may also access these other services if they know your IP address and scan for the service that's running.

Using the VPN is similar to connecting to a public network, such as a school, cafe, business, or any network where other users are also connected.

Now that you're aware that other users may be able to access services and connections you have running, here are some suggestions to reduce your attack surface:

TryHackMe's in-browser machine (called the AttackBox) is the easiest and most secure way to start hacking!

TryHackMe provides all users with an AttackBox machine with all the security tools pre-installed to start hacking in a legal and safe environment, accessed entirely through the browser. Each user can start their own instance of an AttackBox with a click of a button within all TryHackMe labs.

The AttackBox (once started) can only be accessed using randomized credentials or a magic link (specific to each user). Unless any credential configuration changes are made to the AttackBox, no other users can access other instances of an isolated, web-based AttackBox.

We recommend configuring and utilising a virtual machine for users planning to connect to TryHackMe's network via the VPN. By default, virtual machines provide an environment completely isolated from the host machine. This can be used to install and run tools against vulnerable machines on TryHackMe. In addition to using virtual machines, make sure you:

If you have any questions, please get in touch with us at support@tryhackme.com