Official Schooled Discussion

Struggled quite a bit on root so my 2 pennies:

  1. Figure out what you can run as a privileged user
  2. Figure out how to create your own p********s with that.
  3. Here was my struggle: Don’t copy paste from google. After I manually typed everything in it worked ------>That’s a nooooob moooove!
  4. Run it as privileged user.

can i get a nudge on getting user

Finally obtained user flag. good steal, good SA, good john, lesson learnt

.

Type your comment> @baitin said:

can i get a nudge on getting user

Just basic enumeration is enough… keep in mind, folder structure in a bit different

Well… Up to the root part, I was fine. I struggled a bit because even though I had the correct vulnerability, I wasn’t using it on the right place. I like this kind of attacks, it’s realistic and I find it to be somewhat elegant if done right.
The root part… Well, I hate *BSD. Everytime I have to deal with it I feel like the documentation is awful. With that being said, it turns out that I had found the solution pretty early on but probably made a mistake implementing it. Seeing that didn’t work as expected, I moved on to other ideas and wasted quite a lot of time, fortunately @TGRHavoc put me back on the right path and it was just a matter of minutes before getting that golden shell root I was craving for :slight_smile: Sooo yeah, really regretting not logging my inputs here, as I’m really curious why that didn’t work the first time.
Thanks also to @sicario1337 and @clure for their quick answers and trying to help me :slight_smile:

By the way, am I the only one who had a really bad time on the last step to user ? I had between 30 and 90 seconds to figure out something before I had to start the process all over again because my RCE was destroyed.

This was abnormally hard for me, since I did not expect HTB boxes to have the functionality that this one did. XSS is actually feasible this time!

Foothold: If you found a video then also look for the associated g**h**.
The video I used quickly skimmed over an important part. Making me think I was in a rabbit hole when I wasn’t. Thanks for the hints.

User: Look around first before trying to upgrade your shell, you might find some useful stuff. You will find some other good stuff in that general area.

Root: Takes like a minute if you look in g***b***. By far the easiest part.

am trying to open account but it says This email is not one of those that are allowed
any hint ?!!

Type your comment> @dj3bb4ran0n said:

am trying to open account but it says This email is not one of those that are allowed
any hint ?!!

tried @student.schooled.htb

Rooted at last.Root part by far the easiest after a painful foothold part.

Type your comment> @foalma321 said:

Type your comment> @sk1dy said:

am trying to open account but it says This email is not one of those that are allowed
any hint ?!!

tried @student.schooled.htb

yes i visited this one and i tested the email that mentioned there and still getting same message i even tried [teachers’s name]@[nameofthebox].htb but still getting same message

Comparing the foothold, root is tooooooo easy. I spent some time to google but I realized that I have already bookmarked the resource I need before LOL.

Can someone give me some hints for foothold? I’ve found the place of learning, I’ve set up what he asked but now I have no idea for next steps. I’m guessing I have to h_j__k his s_ss__n? I found a video explaining a path for Stored X and getting what I’m looking for there but I’m not sure I’m on the right track…

Got rce but none of the rev shell one liners seems to be working for me. Also can’t find any wget or curl to upload files on the box. Any nudges?

Type your comment> @dj3bb4ran0n said:

Type your comment> @foalma321 said:

Type your comment> @dj3bb4ran0n said:

am trying to open account but it says This email is not one of those that are allowed
any hint ?!!

tried @student.schooled.htb

yes i visited this one and i tested the email that mentioned there and still getting same message i even tried [teachers’s name]@[nameofthebox].htb but still getting same message

The emails allowed are of the form whatever@student.schooled.htb.

@jw0 said:
Can someone give me some hints for foothold? I’ve found the place of learning, I’ve set up what he asked but now I have no idea for next steps. I’m guessing I have to h_j__k his s_ss__n? I found a video explaining a path for Stored X and getting what I’m looking for there but I’m not sure I’m on the right track…

You are :slight_smile: Take your time and read carefully anything that might be a hint. Also don’t be like me and look at every user input.

@gs4l said:
Got rce but none of the rev shell one liners seems to be working for me. Also can’t find any wget or curl to upload files on the box. Any nudges?

The syntax is hard to get. I can only tell you to try stuff, rearrange the terms, see what happens and eventually you’ll find a way to get what you need.
One problem that might occur is that since everyone seems to be using the same commands/names straight from Google, then when one uses a command, it conflicts with yours. I’m not 100% sure it’s related but my life became easier after I just gave different names to specific files.

Type your comment> @dragonista said:

Type your comment> @sk1dy said:

Type your comment> @foalma321 said:

Type your comment> @sk1dy said:

am trying to open account but it says This email is not one of those that are allowed
any hint ?!!

tried @student.schooled.htb

yes i visited this one and i tested the email that mentioned there and still getting same message i even tried [teachers’s name]@[nameofthebox].htb but still getting same message

The emails allowed are of the form whatever@student.schooled.htb.

Got it I was doing it wrong whatever@schooled.htb

Type your comment> @dragonista said:

@gs4l said:
Got rce but none of the rev shell one liners seems to be working for me. Also can’t find any wget or curl to upload files on the box. Any nudges?

The syntax is hard to get. I can only tell you to try stuff, rearrange the terms, see what happens and eventually you’ll find a way to get what you need.
One problem that might occur is that since everyone seems to be using the same commands/names straight from Google, then when one uses a command, it conflicts with yours. I’m not 100% sure it’s related but my life became easier after I just gave different names to specific files.

Thanks mate, I was blindly just uploading the zip file for rce. Looked at the contents in the zip and got an idea and it worked.
Just got user

Edit: got root … not sure whether the root part was meant to be the way I got it

Feel free to DM for hints