Official Schooled Discussion

Hi, If anyone could push me in the right direction it would be much appreciated!

I have found what I think is the right PoC video but when I upgrade to a M**r I don’t see another user I can log in as that can access SA*************.

Thanks!

EDIT: Got the right user

Hi, I have done all of my enumeration I have reached the point of madness by looking over and over all the files and nothing sticks out. I have RCE on the box as www I have access to the M***L but I have no clue what to do with the info that I have. I have tried every cryptographic method possible. Any ideas?

edit: Nevermind hashcat just decided to never tell me that the hash was actually cracked

.

Hey everyone, for the last part before RCE, has anyone had errors stating “is defective or outdated”?

If so, could you please give me a hint as to how you got around this?

So i just rooted this box last night, but i took some nudges to find the right CVE… can anyone PM me what the intended method for grabbing the m***** version was?

Also, finding the ‘place to learn’ took some hints and a lucky guess - turns out i actually did try the correct enumeration technique, but it failed due to limitations of the hosts file - any tips on how to get that particular enumeration technique to work in an environment without proper DNS would be greatly appreciated!

HINTS:
foothold: find the right place, explore the functionality and read carefully - there’s a great hint for the first step already - treat it like a real-world scenario not just a CTF! After that, find the right vuln and follow the steps carefully!

rev shell: if you’re struggling with getting a full shell, think about what OS the target is running - why might your standard one liners not work?

user: manual enumeration is enough here! don’t grep blindly, think about the target system, what you’re looking for and where it might be. Google is your friend!

root: super simple enumeration will show you the way, after that you’ll be able to GTFO no problem :wink:

Really great box overall.
It is cool seeing that kind of vulnerability used on HTB.
Learned many things on the FreeBSD side.

I learned a lot from this box! However, I’m rating it poorly as it sets unrealistic beauty expectations for teachers. jk jk

Seriously I wish I knew how to do this stuff in my first year of uni, this would have helped me get some really nice grades…

I must be missing something here, I know I need to steal a session. I’ve found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn’t like to open messages received by strangers. Am I going into a rabbit hole?

Type your comment> @benjamin2000 said:

I must be missing something here, I know I need to steal a session. I’ve found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn’t like to open messages received by strangers. Am I going into a rabbit hole?

+1 . i also face same issue :frowning: . Please can some one guide. I set the profile the teacher had asked to set as well

Type your comment> @benjamin2000 said:

I must be missing something here, I know I need to steal a session. I’ve found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn’t like to open messages received by strangers. Am I going into a rabbit hole?

I fell into the same hole. Read the announcement more carefully.

I still lost on where to go to find the “learning place”. I tried learning.schooled.htb, teacher…, learn, student, teaching, and so many others. Can someone give me the right direction ?

Edit : just found it, but now where to search to find the m****net ?

@UVision said:

I still lost on where to go to find the “learning place”. I tried learning.schooled.htb, teacher…, learn, student, teaching, and so many others. Can someone give me the right direction ?

Edit : just found it, but now where to search to find the m****net ?

Read the announcement again. If its something you have to set, it has to be somewhere you can access. If everyone has to do it, it should be in a fairly obvious place. Maybe where other information is about the account?

Type your comment> @TGRHavoc said:

Read the announcement again. If its something you have to set, it has to be somewhere you can access. If everyone has to do it, it should be in a fairly obvious place. Maybe where other information is about the account?

Yeah, I found an interesting field on my profile account, I think this is the right place to put the “thing”. Should I create an account on m****n** website ?

I think I must to put my m***n profile url in this field.

@UVision said:

Type your comment> @TGRHavoc said:

(Quote)
Yeah, I found an interesting field on my profile account, I think this is the right place to put the “thing”. Should I create an account on m****n** website ?

You shouldn’t have to create any other accounts… Maybe just try your thing?

Type your comment> @TGRHavoc said:

You shouldn’t have to create any other accounts… Maybe just try your thing?

Just realize what I can place into this field, I will try it:)

Found an hash but can’t crack. Is this the right path for getting user j***e?

Edit: managed to crack with j was using h**c*t. Got user.

Just got RCE, any hint for user ? I found my*** creds, but no my*** seems to be running on that box.

Edit : just found what I need.

Rooted nice box!

Foothold: Enumeration is crucial. Don’t overlook different kind of enumeration, eventually you’ll land in the right place. Read carefully all messages so you can “steal” the opportunity to to something evil. With the help of Google you’ll understand what to do to go further.
User: Enumeration (not necessarily with classical tools), dig well from the starting point and go grab what you need.
Root: Enumeration on permissions, was not so hard but I liked.

Thanks for the box!

Rooted, very fun box;)

PM me to get some hints.