Official Schooled Discussion

124

Comments

  • edited April 9

    .

  • Type your comment> @baitin said:

    can i get a nudge on getting user

    Just basic enumeration is enough... keep in mind, folder structure in a bit different

    sicario1337

    Happy to assist and 'Respect' is always appreciated
  • Well... Up to the root part, I was fine. I struggled a bit because even though I had the correct vulnerability, I wasn't using it on the right place. I like this kind of attacks, it's realistic and I find it to be somewhat elegant if done right.
    The root part... Well, I hate *BSD. Everytime I have to deal with it I feel like the documentation is awful. With that being said, it turns out that I had found the solution pretty early on but probably made a mistake implementing it. Seeing that didn't work as expected, I moved on to other ideas and wasted quite a lot of time, fortunately @TGRHavoc put me back on the right path and it was just a matter of minutes before getting that golden shell root I was craving for :) Sooo yeah, really regretting not logging my inputs here, as I'm really curious why that didn't work the first time.
    Thanks also to @sicario1337 and @clure for their quick answers and trying to help me :)

    By the way, am I the only one who had a really bad time on the last step to user ? I had between 30 and 90 seconds to figure out something before I had to start the process all over again because my RCE was destroyed.

    dragonista

  • This was abnormally hard for me, since I did not expect HTB boxes to have the functionality that this one did. XSS is actually feasible this time!

    imageTest sig please ignore

  • Foothold: If you found a video then also look for the associated g**h**.
    The video I used quickly skimmed over an important part. Making me think I was in a rabbit hole when I wasn't. Thanks for the hints.

    User: Look around first before trying to upgrade your shell, you might find some useful stuff. You will find some other good stuff in that general area.

    Root: Takes like a minute if you look in g***b***. By far the easiest part.

  • am trying to open account but it says This email is not one of those that are allowed
    any hint ?!!

  • Type your comment> @dj3bb4ran0n said:

    am trying to open account but it says This email is not one of those that are allowed
    any hint ?!!

    tried @student.schooled.htb

  • Rooted at last.Root part by far the easiest after a painful foothold part.

  • Type your comment> @foalma321 said:

    Type your comment> @dj3bb4ran0n said:

    am trying to open account but it says This email is not one of those that are allowed
    any hint ?!!

    tried @student.schooled.htb

    yes i visited this one and i tested the email that mentioned there and still getting same message i even tried [teachers's name]@[nameofthebox].htb but still getting same message

  • Comparing the foothold, root is tooooooo easy. I spent some time to google but I realized that I have already bookmarked the resource I need before LOL.

    CISSP
    Hack The Box
    ++Repect If you think I help =]

  • Can someone give me some hints for foothold? I've found the place of learning, I've set up what he asked but now I have no idea for next steps. I'm guessing I have to h_j__k his s_ss__n? I found a video explaining a path for Stored X and getting what I'm looking for there but I'm not sure I'm on the right track...

    Hack The Box

  • Got rce but none of the rev shell one liners seems to be working for me. Also can't find any wget or curl to upload files on the box. Any nudges?

  • Type your comment> @dj3bb4ran0n said:

    Type your comment> @foalma321 said:

    Type your comment> @dj3bb4ran0n said:

    am trying to open account but it says This email is not one of those that are allowed
    any hint ?!!

    tried @student.schooled.htb

    yes i visited this one and i tested the email that mentioned there and still getting same message i even tried [teachers's name]@[nameofthebox].htb but still getting same message

    The emails allowed are of the form [email protected]

    dragonista

  • @jw0 said:
    Can someone give me some hints for foothold? I've found the place of learning, I've set up what he asked but now I have no idea for next steps. I'm guessing I have to h_j__k his s_ss__n? I found a video explaining a path for Stored X and getting what I'm looking for there but I'm not sure I'm on the right track...

    You are :) Take your time and read carefully anything that might be a hint. Also don't be like me and look at every user input.

    dragonista

  • @gs4l said:
    Got rce but none of the rev shell one liners seems to be working for me. Also can't find any wget or curl to upload files on the box. Any nudges?

    The syntax is hard to get. I can only tell you to try stuff, rearrange the terms, see what happens and eventually you'll find a way to get what you need.
    One problem that might occur is that since everyone seems to be using the same commands/names straight from Google, then when one uses a command, it conflicts with yours. I'm not 100% sure it's related but my life became easier after I just gave different names to specific files.

    dragonista

  • Type your comment> @dragonista said:

    Type your comment> @dj3bb4ran0n said:

    Type your comment> @foalma321 said:

    Type your comment> @dj3bb4ran0n said:

    am trying to open account but it says This email is not one of those that are allowed
    any hint ?!!

    tried @student.schooled.htb

    yes i visited this one and i tested the email that mentioned there and still getting same message i even tried [teachers's name]@[nameofthebox].htb but still getting same message

    The emails allowed are of the form [email protected]

    Got it I was doing it wrong [email protected]

  • edited April 11

    Type your comment> @dragonista said:

    @gs4l said:
    Got rce but none of the rev shell one liners seems to be working for me. Also can't find any wget or curl to upload files on the box. Any nudges?

    The syntax is hard to get. I can only tell you to try stuff, rearrange the terms, see what happens and eventually you'll find a way to get what you need.
    One problem that might occur is that since everyone seems to be using the same commands/names straight from Google, then when one uses a command, it conflicts with yours. I'm not 100% sure it's related but my life became easier after I just gave different names to specific files.

    Thanks mate, I was blindly just uploading the zip file for rce. Looked at the contents in the zip and got an idea and it worked.
    Just got user

    Edit: got root ... not sure whether the root part was meant to be the way I got it

    Feel free to DM for hints

  • Foothold: Simple enumeration leads you there. It's ugly to do, but you might need to steal something! If you don't know what to steal, check around what you can do and see.
    User: Not difficult, the standard enumeration should lead you where you need
    Root: Actually pretty straightforward with the traditional first command

    If someone need help just reach out to me !!

  • Rooted! Interesting machine on the Initial Foothold, remembered a previous machine. Here my hints:

    • Initial Foothold: Try to enumerate in a different way as we are used to. When you discover what you need to do, then remember to steal something you need and follow instructions.
    • User: Very straightforward. Basic enumeration will do the trick.
    • Root: Just check the basics and execute.
  • Rooted !! with big help from @gs4l
    Fun box, definitely need more real-world boxes like this

  • edited April 13

    Hi, If anyone could push me in the right direction it would be much appreciated!

    I have found what I think is the right PoC video but when I upgrade to a M*****r I don't see another user I can log in as that can access S***A*************.

    Thanks!

    EDIT: Got the right user

  • edited April 14

    Hi, I have done all of my enumeration I have reached the point of madness by looking over and over all the files and nothing sticks out. I have RCE on the box as www I have access to the M***L but I have no clue what to do with the info that I have. I have tried every cryptographic method possible. Any ideas?

    edit: Nevermind hashcat just decided to never tell me that the hash was actually cracked

  • edited April 15

    .

  • Hey everyone, for the last part before RCE, has anyone had errors stating "is defective or outdated"?

    If so, could you please give me a hint as to how you got around this?

  • So i just rooted this box last night, but i took some nudges to find the right CVE... can anyone PM me what the intended method for grabbing the m***** version was?

    Also, finding the 'place to learn' took some hints and a lucky guess - turns out i actually did try the correct enumeration technique, but it failed due to limitations of the hosts file - any tips on how to get that particular enumeration technique to work in an environment without proper DNS would be greatly appreciated!

    HINTS:
    foothold: find the right place, explore the functionality and read carefully - there's a great hint for the first step already - treat it like a real-world scenario not just a CTF! After that, find the right vuln and follow the steps carefully!

    rev shell: if you're struggling with getting a full shell, think about what OS the target is running - why might your standard one liners not work?

    user: manual enumeration is enough here! don't grep blindly, think about the target system, what you're looking for and where it might be. Google is your friend!

    root: super simple enumeration will show you the way, after that you'll be able to GTFO no problem ;)

  • Really great box overall.
    It is cool seeing that kind of vulnerability used on HTB.
    Learned many things on the FreeBSD side.

  • I learned a lot from this box! However, I'm rating it poorly as it sets unrealistic beauty expectations for teachers. jk jk

    Seriously I wish I knew how to do this stuff in my first year of uni, this would have helped me get some really nice grades....

  • I must be missing something here, I know I need to steal a session. I've found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn't like to open messages received by strangers. Am I going into a rabbit hole?

    Benjamin2000

  • Type your comment> @benjamin2000 said:

    I must be missing something here, I know I need to steal a session. I've found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn't like to open messages received by strangers. Am I going into a rabbit hole?

    +1 . i also face same issue :( . Please can some one guide. I set the profile the teacher had asked to set as well

  • Type your comment> @benjamin2000 said:

    I must be missing something here, I know I need to steal a session. I've found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn't like to open messages received by strangers. Am I going into a rabbit hole?

    I fell into the same hole. Read the announcement more carefully.

    dragonista

Sign In to comment.