Interview with a TryHackMe Developer - Muirland Oracle
If you’ve ever used the TryHackMe cyber security learning platform, then you’ve likely come across the work of Muirland Oracle.
Over the last three years, he has created 30+ walkthrough and challenge rooms - ranging from the beginner friendly, to the downright difficult (I’m looking at you, Year of the Jellyfish). Tens of thousands of users have interacted with and learned from his content!
Furthermore, he provides support for over 136,000 users as TryHackMe’s Discord Community Manager!
As a huge fan of his work, I was super excited to be able to interview him!
How do you balance being a full time student with content creation and being a TryHackMe Discord Admin?
Believe it or not, it’s worse than that! I also work part-time as a pentester for a local company, and nearly always have a cert or training course on the go in the background. The short answer to this question is: with difficulty. I keep a very close eye on where and how I spend my time, and make sure to track and prioritise tasks based on urgency.
Sometimes that means short sprints where I end up effectively picking each task off individually one-by-one, but usually I just make sure to juggle tasks to maximise efficiency (i.e. when I get bored with one thing, I just switch to another so that I’m always doing something productive). Unfortunately, there are only so many hours in a day – so sometimes the items with no deadline get pushed back a bit – but it all gets done in the end! It’s certainly not a dull way to pass the time – I hate being bored, so I wouldn’t have it any other way.
What does a typical day look like for you?
I don’t really have a typical day just now – which is awesome for keeping life interesting! I usually spend about 90-120 minutes on exercise and try to take some time in the evening for down-time, but other than that it’s usually just a case of fitting whichever tasks need done that day in around meetings and university. In a sense, working from home over COVID has been helpful in that I don’t need to travel as much as I used to, but after a couple of years I almost miss it!
When did you first find yourself interested in computer security? What inspired you to pursue penetration testing specifically?
For a variety of reasons, I performed an in-person authentication bypass and privilege escalation on a MacBook when I was in in my early teens. The “hack” was extremely simple, but it introduced me to the intoxicating adrenaline rush you get from successfully breaking into stuff.
Thereafter, I started looking for ways to recapture that rush as a legal occupation – pentesting was where the research led. I didn’t really do or learn anything else until I went to university a few years later, at which point I became involved with the TryHackMe community and really started diving into security.
What’s your methodology for creating a TryHackMe room?
The answer to this is totally different depending on the type of room. Traditionally I have worked on CTF challenges and walkthrough tutorial content; more recently I have also been building vulnerability showcases (e.g. Pwnkit, Dirty Pipe, Spring4Shell, etc).
Teaching content tends to be the most intensive to write – it requires a lot of planning and usually starts with a vague topic or brief (e.g. “Write a Burp Suite module”); the scope gets developed from there. Once I know the topics I want to cover, I split them into tasks (or rooms and tasks if it’s a module) and put together a skeleton for the room(s) – basically just creating the room(s) and task headings ready to have the content added.
From there it’s just a case of writing the content. I usually try to build the interactive content (i.e., VMs and/or static sites) whilst I write as I find that the two aspects tend to influence each other; however, occasionally this isn’t possible and the interactive content gets developed either beforehand, or after the materials are written.
Vulnerability showcases are the complete opposite of tutorials – I take researched information about a vulnerability and use it to build a proof-of-concept lab for the vuln. Once I’ve built the machine, I have a much better “feel” for how the new vulnerability works, which makes writing the teaching material a lot easier. In other words, rather than starting with a vague brief and building inwards, I start very focussed and develop outwards from there.
These rooms all follow a similar format: introduction to the vulnerability, an overview of how it works and how you can remediate it, usually a slightly more in-depth technical explanation, and a practical using the lab I created previously (normally after tidying it up a bit!). This common structure means that I don’t really need to plan the room structure out – all I need to do is write each section then send the room out. Challenges are simultaneously (confusingly) both the easiest to build, and the hardest.
You obviously don’t need to write tutorial content for a challenge, which removes the hardest part of the equation (writing accessible teaching material is hard!) – that takes a lot of the pressure off. However, they require more planning than anything else. The best challenges need to make sense, be fun to complete, be relatively realistic, and not have a tonne of unintended paths through them.
Planning around those criteria can be tough, but the result is worth it! With challenges, I often start with a concept that I like the look of and build the rest of the box around it. Just to make life harder for myself, I’ve also built a few cross-over walkthrough/challenges (e.g., Hipflask), where I build a challenge box then effectively integrate a writeup into the room tasks. Interestingly, those are actually the most fun to build! Regardless of the type of room, you can be sure that there are a lot of notes and documentation involved.
Who are your role models in the security community?
There are quite a few! First and foremost, the man who pushed me into my OSCP and has been an awesome mentor and friend from almost the very beginning of my infosec journey: Ryan Montgomery (0day). A lot of my methodology and knowledge of the weird and whacky parts of hacking come from working with Ryan. Safe to say his determination and sheer stubborn inability to admit defeat have been motivational, to say the least!
Closer to home, a lot of my interest to really push myself into Infosec (including my initial introduction to TryHackMe) came from a friend from university: Samiser. Their passion for the subject – and especially for wonderfully niche aspects of cyber – really taught me from the get-go how much cybersec has to offer. Between that and their patience with a newbie’s questions, they were (and continue to be) an inspiration.
I also have a huge amount of respect for many of my friends and colleagues on the TryHackMe community staff team. A lot of my current infosec interests have come directly from them, and when I have a question about some weird edge-case, I can nearly always find someone who is likely to know the answer amongst them.
Speaking of TryHackMe, this list wouldn’t be complete without mentioning Jon Peters (DarkStar7471), who taught me about community management and has given me a lot of help and advice about starting out in cyber.
More generally, who doesn’t hold John Hammond (https://twitter.com/_johnhammond) as a role model?
There are way too many folks to list here – I could spend hours writing down names and flitting between role models. Suffice to say there are many absolutely awesome individuals in this industry, and it’s a great privilege to share the space with them.
Out of the 30+ TryHackMe rooms you’ve created, which has been your favorite to develop and why?
Tricky question! Aside from some of my very early challenges (which I hate), most of my rooms contain aspects that I’m particularly fond or proud of. I learn more with every machine I build, so there are always things to remember fondly.
For example, my CVE-2021-3560 room was my first chance to deploy my dynamic flags system. The box used in the Burp Suite module (Bastion) was one of my first Flask applications; Flask is now my go-to backend web framework. Upload Vulnerabilities was my first introduction to NodeJS and Docker – the latter of which is something I now use day-in-day-out.
Every room that I have built has taught me something new, so it’s really difficult to choose a favourite. That said, I get the most enjoyment out of creating “guided challenges” (think Wreath, Hipflask, or Atlas). I find that building out what is basically a challenge box, then teaching a method for hacking it, is much more liberating than explicitly designing a box to demonstrate a walkthrough – not least because it lets me challenge myself to stuff as wide a range of content in there as possible!
With that in mind, I’m probably going to go with either Wreath or Hipflask for my favourite. Wreath because of the sheer number of topics I was able to cover with it, and Hipflask because I really liked being able to include a source code review tutorial, as well as covering some of the more realistic aspects of pentesting (as opposed to just teaching isolated techniques).
You have earned the OSCP and CRTO, congratulations! Any plans on your next certification? What are your thoughts on the abundance of certs in the cyber security realm?
I have been working towards my OSEP for a while now, with the aim of obtaining the trifecta (OSCE3) in the not-too-distant future. From there I would like to move into SANS, so fingers crossed for a grad job with a big enough training budget!
To summarise my thoughts on the abundance of certs: there are a huge number of the things, many of which are useful for different purposes, in different areas, which can be really confusing for people entering the industry. In many ways it would be good to have a more standardised set; however, given how chaotic the entire industry is, I very much doubt that will happen.
That said, it’s well worth doing your research and filtering through the noise to pick out the certs that are most useful for you and the career you want to make for yourself. The benefit to having so many available is that you have many good options, so research well and choose wisely!
What advice would you give to a student with no experience interested in becoming a penetration tester?
Be curious. Knowledge can be learnt; curiosity cannot. Hacking is all about asking “what if…?”, so question everything and surround yourself with supportive, passionate people who love what they do and who embrace the philosophy of sharing knowledge for the collective good.
Equally, research is (and always will be) the most important skill for anyone in the infosec space. It is a massive world out there – it’s impossible for anyone to know everything. We all Google, and we all spend hours poring over documentation. Research is, without a doubt, the most important part of the technical side of hacking – if it’s a weak point for you, then that should absolutely be your focus (both for your own sake, and the sake of the people around you).
On the subject of research, what should you do when you learn something new? Make a note of it! Again, you’re never going to remember everything – the space is just far too vast. Get yourself some notetaking software (e.g. Trilium or Obsidian) and start writing. Every time you solve a problem or learn something new, write it down! You never know when you might need that information again, and it is great practice for documenting pentests in the real world.
Speaking of which, loathe though I am to burst the bubble of hacking being all technical, report writing is (unfortunately) easily the most important job in pentesting. Your clients are paying for the report – that is your product. If you’re not comfortable writing reports, get practicing!
Finally (and arguably most importantly): remember that everyone starts somewhere. Imposter syndrome affects almost everyone in infosec. We all look around and see people who are better than us, who know more than us, who have more experience, or more accomplishments. They don’t matter. The only person who you should be competing with is yourself – your journey is your own, and it’s okay to do it at your own pace, starting in your own time.
Where do you get your cyber security related news from?
Honestly? Mainly Twitter. You can argue about the merits of this RSS feed or that news site all you like; chances are that news will pop up on Twitter extremely quickly with a big enough network of infosec professionals. It’s a small industry, relatively speaking, and news spreads very fast on social media.
What are your non-cyber related hobbies?
Global pandemics unfortunately make many hobbies difficult, but I’m very outdoorsy and love taking a day to go out kayaking or hiking. I used to swim a lot as well, but COVID makes swimming pools a bad idea for the time being, more’s the pity.
Aside from exercise-based hobbies, I still love to read for enjoyment, and get a lot of fun out of messing with new tech / building out my home and cloud infrastructure. Like most people in tech, I can occasionally also be convinced to play a game or two, although I’m not a huge gamer so that’s a relatively rare occurrence.
More of Muirland Oracle
Thank’s again to Muirland Oracle for the interview and for providing such detailed responses!
Check out his links below to get in touch with him.