I’ve spent the last month trying out TryHackMe Premium, and thought I’d share my thoughts on whether a Premium subscription is worthwhile or not.
I’d previously spent a bit of time on Hack The Box, so initially gravitated towards that, but having seen the redesign and confusing HTB Academy (a separate login? Why?!), I thought I’d see what the alternatives were.
And so I came across TryHackMe. I initially started off with the free account, but after quickly hitting some rooms that were Premium only, I signed up for €8/month. Below is a current summary of the difference between Free and Premium:
The only difference of real note is access to all Rooms and Learning Paths; basically, unrestricted content. For anybody who hasn’t checked out THM yet, Rooms are walkthroughs of a particular concept, broken down into various steps, and usually include an exploitable or interactive VM you launch and work through. Learning Paths are collections of these rooms, covering a broad topic.
Once you’re done with Learning Paths, you can complete individual Rooms, which are constantly being added. These range from traditional CTF challenges to walkthrough demonstrations of the latest vulnerabilities, such as Log4Shell and Pwnkit:
There are far more free rooms than premium rooms, which is something to keep in mind when you’ve finished the Learning Paths and are considering if the subscription is still worth it for you.
OpenVPN connectivity into the network is absolutely rock solid and a breeze to set up, I highly recommend running your own penetration box using this method, though the online Attack Box made available (Parrot or Kali) is also very useable. Is there a difference in performance when launching and engaging VMs under a free account compared to Premium? Hard to say. I’m under the impression that I’ve had less trouble with performance/disconnects while subscribed to Premium, but that’s purely anecdotal. [Edit 2/3/22 – After a few weeks back on Free tier, I can say 100% that performance and reliability is far better on Premium]
The gamification, which of course is a huge draw to these kind of CTF platforms, is fairly well done. The rules around how points are achieved can be bit confusing, and it’s not quite as feature rich as Hack The Box, but it’s enough to keep me coming back every day to win points, levels and badges.
Having completed the majority of all Learning Paths, I’ve started working through the individual rooms, and quite like the idea of trying to get as high as I can in my country’s leaderboard. However, I don’t think the CTF element is as strong as Hack The Box.
What will keep me subscribed though is the addition of Rooms that address new and active vulnerabilities. I think the recent Room by John Hammond on Log4Shell exploitation, detection and mitigation is an excellent use of the platform and where THM really shines, elevating it from a simple CTF and learning tool to an environment where cybersecurity professionals can contribute and share in a very quick, agile and interactive fashion.
There are a few things I dislike worth mentioning:
- The Rooms can be a little bit inconsistent in places. They are submitted by THM users, and while I’m not sure what kind of review process they go through, they can range in quality. However, the majority of content in the official Learning Paths is excellent. They recently announced the removal of the “Complete Beginner” tract, which is a good thing, as this overlapped annoyingly with a number of other paths. So there is clearly constant development and improvement.
- Some of the Learning Paths have Rooms that aren’t available yet. I don’t see the reason for listing these, and is a little frustrating when my completionist side wants to 100% a Path!
- The VMs for practicing on are generally quite stable, though I have encountered a number that have crashed while performing tasks essential to exploitation. One thing that bugs me though, is the inability to reset them if there’s issues. You have to “Terminate” them (power them off) and re-launch them. They don’t come back up with the same IP address, so any notes you’re taking will now reference a different IP. Not a huge problem, but Hack The Box has a nice reset feature that resets the VM back to starting state while maintaining the IP. Would be great for THM to implement this.
- The layout can be confusing. The Dashboard needs work, as does the distinction between Learning Paths and Series. Even something as simple as finding what VM you still have running can be a chore. This isn’t displayed on the Dashboard, you have to manually go back into the room to stop it.
So is TryHackMe worth €8/month for Premium access? I would say if you are interested in the Learning Path content, it absolutely is. While I feel Hack The Box still has the edge in terms of CTF challenges, THM is a really excellent learning platform for anybody starting off their cybersecurity career and beyond.