Official Schooled Discussion

Type your comment> @dj3bb4ran0n said:

Type your comment> @foalma321 said:

Type your comment> @dj3bb4ran0n said:

am trying to open account but it says This email is not one of those that are allowed
any hint ?!!

tried @student.schooled.htb

yes i visited this one and i tested the email that mentioned there and still getting same message i even tried [teachers’s name]@[nameofthebox].htb but still getting same message

The emails allowed are of the form whatever@student.schooled.htb.

@jw0 said:
Can someone give me some hints for foothold? I’ve found the place of learning, I’ve set up what he asked but now I have no idea for next steps. I’m guessing I have to h_j__k his s_ss__n? I found a video explaining a path for Stored X and getting what I’m looking for there but I’m not sure I’m on the right track…

You are :slight_smile: Take your time and read carefully anything that might be a hint. Also don’t be like me and look at every user input.

@gs4l said:
Got rce but none of the rev shell one liners seems to be working for me. Also can’t find any wget or curl to upload files on the box. Any nudges?

The syntax is hard to get. I can only tell you to try stuff, rearrange the terms, see what happens and eventually you’ll find a way to get what you need.
One problem that might occur is that since everyone seems to be using the same commands/names straight from Google, then when one uses a command, it conflicts with yours. I’m not 100% sure it’s related but my life became easier after I just gave different names to specific files.

Type your comment> @dragonista said:

Type your comment> @sk1dy said:

Type your comment> @foalma321 said:

Type your comment> @sk1dy said:

am trying to open account but it says This email is not one of those that are allowed
any hint ?!!

tried @student.schooled.htb

yes i visited this one and i tested the email that mentioned there and still getting same message i even tried [teachers’s name]@[nameofthebox].htb but still getting same message

The emails allowed are of the form whatever@student.schooled.htb.

Got it I was doing it wrong whatever@schooled.htb

Type your comment> @dragonista said:

@gs4l said:
Got rce but none of the rev shell one liners seems to be working for me. Also can’t find any wget or curl to upload files on the box. Any nudges?

The syntax is hard to get. I can only tell you to try stuff, rearrange the terms, see what happens and eventually you’ll find a way to get what you need.
One problem that might occur is that since everyone seems to be using the same commands/names straight from Google, then when one uses a command, it conflicts with yours. I’m not 100% sure it’s related but my life became easier after I just gave different names to specific files.

Thanks mate, I was blindly just uploading the zip file for rce. Looked at the contents in the zip and got an idea and it worked.
Just got user

Edit: got root … not sure whether the root part was meant to be the way I got it

Feel free to DM for hints

Foothold: Simple enumeration leads you there. It’s ugly to do, but you might need to steal something! If you don’t know what to steal, check around what you can do and see.
User: Not difficult, the standard enumeration should lead you where you need
Root: Actually pretty straightforward with the traditional first command

If someone need help just reach out to me !!

Rooted! Interesting machine on the Initial Foothold, remembered a previous machine. Here my hints:

  • Initial Foothold: Try to enumerate in a different way as we are used to. When you discover what you need to do, then remember to steal something you need and follow instructions.
  • User: Very straightforward. Basic enumeration will do the trick.
  • Root: Just check the basics and execute.

Rooted !! with big help from @gs4l
Fun box, definitely need more real-world boxes like this

Hi, If anyone could push me in the right direction it would be much appreciated!

I have found what I think is the right PoC video but when I upgrade to a M**r I don’t see another user I can log in as that can access SA*************.

Thanks!

EDIT: Got the right user

Hi, I have done all of my enumeration I have reached the point of madness by looking over and over all the files and nothing sticks out. I have RCE on the box as www I have access to the M***L but I have no clue what to do with the info that I have. I have tried every cryptographic method possible. Any ideas?

edit: Nevermind hashcat just decided to never tell me that the hash was actually cracked

.

Hey everyone, for the last part before RCE, has anyone had errors stating “is defective or outdated”?

If so, could you please give me a hint as to how you got around this?

So i just rooted this box last night, but i took some nudges to find the right CVE… can anyone PM me what the intended method for grabbing the m***** version was?

Also, finding the ‘place to learn’ took some hints and a lucky guess - turns out i actually did try the correct enumeration technique, but it failed due to limitations of the hosts file - any tips on how to get that particular enumeration technique to work in an environment without proper DNS would be greatly appreciated!

HINTS:
foothold: find the right place, explore the functionality and read carefully - there’s a great hint for the first step already - treat it like a real-world scenario not just a CTF! After that, find the right vuln and follow the steps carefully!

rev shell: if you’re struggling with getting a full shell, think about what OS the target is running - why might your standard one liners not work?

user: manual enumeration is enough here! don’t grep blindly, think about the target system, what you’re looking for and where it might be. Google is your friend!

root: super simple enumeration will show you the way, after that you’ll be able to GTFO no problem :wink:

Really great box overall.
It is cool seeing that kind of vulnerability used on HTB.
Learned many things on the FreeBSD side.

I learned a lot from this box! However, I’m rating it poorly as it sets unrealistic beauty expectations for teachers. jk jk

Seriously I wish I knew how to do this stuff in my first year of uni, this would have helped me get some really nice grades…

I must be missing something here, I know I need to steal a session. I’ve found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn’t like to open messages received by strangers. Am I going into a rabbit hole?

Type your comment> @benjamin2000 said:

I must be missing something here, I know I need to steal a session. I’ve found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn’t like to open messages received by strangers. Am I going into a rabbit hole?

+1 . i also face same issue :frowning: . Please can some one guide. I set the profile the teacher had asked to set as well

Type your comment> @benjamin2000 said:

I must be missing something here, I know I need to steal a session. I’ve found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn’t like to open messages received by strangers. Am I going into a rabbit hole?

I fell into the same hole. Read the announcement more carefully.

I still lost on where to go to find the “learning place”. I tried learning.schooled.htb, teacher…, learn, student, teaching, and so many others. Can someone give me the right direction ?

Edit : just found it, but now where to search to find the m****net ?

@UVision said:

I still lost on where to go to find the “learning place”. I tried learning.schooled.htb, teacher…, learn, student, teaching, and so many others. Can someone give me the right direction ?

Edit : just found it, but now where to search to find the m****net ?

Read the announcement again. If its something you have to set, it has to be somewhere you can access. If everyone has to do it, it should be in a fairly obvious place. Maybe where other information is about the account?