Official Schooled Discussion

┌─[izen@parrot]─[~]
└──╼ $nc -lvnp 9001
listening on [any] 9001 …
connect to [10.10.14.XXX] from (UNKNOWN) [10.129.94.156] 60351

hostname

Schooled

id

uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

ROOTED. Foothold is frustrating for me. and getting to root is the easiest one.
message me for hints

Getting root was hardest part for me :smiley:
Privilege escalation itself is obvious, but implementing it takes some time if you aren’t familiar with freebsd.

Also big thanks to @AbuQasem for giving me tips about implementation part.

Well I’m pretty stuck. I’m in as a teacher but I’m not sure what to aim for next. Hoping to find something that I can abuse.

Any hint to get into teacher?

Type your comment> @0xffe4 said:

Getting root was hardest part for me :smiley:
Privilege escalation itself is obvious, but implementing it takes some time if you aren’t familiar with freebsd.

Also big thanks to @zAbuQasem for giving me tips about implementation part.

You’re welcome ?

Spoiler Removed

Type your comment> @chiakheewei said:

Any hint to get into teacher?

The hint is already given my the Teacher in his message to the new enrolled students.

@chiakheewei said:

Any hint to get into teacher?

Have a look at what’s been posted on the website. Specifically looking for anything that should be seen by a lot of people… Now, mess around with it (the thing that’s mentioned).

need help for root . an anyone help me

Still stuck as a teacher. I can’t seem to figure out how to abuse any of the vulnerabilities in this software.
Probably because I don’t have a template to base my attack from. Or maybe I’m going about it the wrong way.

At the risk of sounding like a ■■■■… This community is brilliant. I’ve finally got a decent foothold on this box. I got nudges to a vulnerability that I had missed and I’ll not make that mistake again. At least not until the next time. I would not have figured that out alone.

I have enumerated all the things and found the place to learn. I have found several exploits, but none that would look like they worked and one that I thought would work if I gave it some info from the place where I learn. Can someone help me out with the exploit for initial foothold?

I though if I found the application version that would help me out but I have still not found it.

So I have managed to “cross” over to teacher user, but not sure where to go from here. I have seen authenticated exploits, but haven’t found a way to pop that shell yet. any nudges would be appreciated

Theres people here saying that getting the root was the easiest part, but i’m really struggling on that! I know what to do but just not how to build it. And every article I read I get more confused about it xD
So I could really appreciate if someone could DM me with a help.

User owned :slight_smile: very nice box yet again!

reminded me a bit of htb-teacher box and htb-crossfit box

on my way to root ^^

Edit: Rooted! Thanks @TheCyberGeek !

Rooted! Cheers to AbuQasem by helping me understanding the FreeBSD syntax

hints for foot hold. got some help to get to t*****r now not sure where to go. Got the version of the application but not seeing where to go

Hint : Theres a youtube video.> @baitin said:

hints for foot hold. got some help to get to t*****r now not sure where to go. Got the version of the application but not seeing where to go

Theres a POC video, easy to find if you know the CVE

Think out of the Box

Very nice and fun box foothold was quite frustrating because my smoothbrain didn’s see proper option and went offtrack for like 2h but overall nice experience Thanks @charif for nudge at the beginning and @AbuQasem for the root help :blush: