Official Schooled Discussion

Hey everyone, for the last part before RCE, has anyone had errors stating “is defective or outdated”?

If so, could you please give me a hint as to how you got around this?

So i just rooted this box last night, but i took some nudges to find the right CVE… can anyone PM me what the intended method for grabbing the m***** version was?

Also, finding the ‘place to learn’ took some hints and a lucky guess - turns out i actually did try the correct enumeration technique, but it failed due to limitations of the hosts file - any tips on how to get that particular enumeration technique to work in an environment without proper DNS would be greatly appreciated!

HINTS:
foothold: find the right place, explore the functionality and read carefully - there’s a great hint for the first step already - treat it like a real-world scenario not just a CTF! After that, find the right vuln and follow the steps carefully!

rev shell: if you’re struggling with getting a full shell, think about what OS the target is running - why might your standard one liners not work?

user: manual enumeration is enough here! don’t grep blindly, think about the target system, what you’re looking for and where it might be. Google is your friend!

root: super simple enumeration will show you the way, after that you’ll be able to GTFO no problem :wink:

Really great box overall.
It is cool seeing that kind of vulnerability used on HTB.
Learned many things on the FreeBSD side.

I learned a lot from this box! However, I’m rating it poorly as it sets unrealistic beauty expectations for teachers. jk jk

Seriously I wish I knew how to do this stuff in my first year of uni, this would have helped me get some really nice grades…

I must be missing something here, I know I need to steal a session. I’ve found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn’t like to open messages received by strangers. Am I going into a rabbit hole?

Type your comment> @benjamin2000 said:

I must be missing something here, I know I need to steal a session. I’ve found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn’t like to open messages received by strangers. Am I going into a rabbit hole?

+1 . i also face same issue :frowning: . Please can some one guide. I set the profile the teacher had asked to set as well

Type your comment> @benjamin2000 said:

I must be missing something here, I know I need to steal a session. I’ve found a technique to do it. Tested it out by sending a message to myself and it worked. Tested it out on the teach**, but it seems like he doesn’t like to open messages received by strangers. Am I going into a rabbit hole?

I fell into the same hole. Read the announcement more carefully.

I still lost on where to go to find the “learning place”. I tried learning.schooled.htb, teacher…, learn, student, teaching, and so many others. Can someone give me the right direction ?

Edit : just found it, but now where to search to find the m****net ?

@UVision said:

I still lost on where to go to find the “learning place”. I tried learning.schooled.htb, teacher…, learn, student, teaching, and so many others. Can someone give me the right direction ?

Edit : just found it, but now where to search to find the m****net ?

Read the announcement again. If its something you have to set, it has to be somewhere you can access. If everyone has to do it, it should be in a fairly obvious place. Maybe where other information is about the account?

Type your comment> @TGRHavoc said:

Read the announcement again. If its something you have to set, it has to be somewhere you can access. If everyone has to do it, it should be in a fairly obvious place. Maybe where other information is about the account?

Yeah, I found an interesting field on my profile account, I think this is the right place to put the “thing”. Should I create an account on m****n** website ?

I think I must to put my m***n profile url in this field.

@UVision said:

Type your comment> @TGRHavoc said:

(Quote)
Yeah, I found an interesting field on my profile account, I think this is the right place to put the “thing”. Should I create an account on m****n** website ?

You shouldn’t have to create any other accounts… Maybe just try your thing?

Type your comment> @TGRHavoc said:

You shouldn’t have to create any other accounts… Maybe just try your thing?

Just realize what I can place into this field, I will try it:)

Found an hash but can’t crack. Is this the right path for getting user j***e?

Edit: managed to crack with j was using h**c*t. Got user.

Just got RCE, any hint for user ? I found my*** creds, but no my*** seems to be running on that box.

Edit : just found what I need.

Rooted nice box!

Foothold: Enumeration is crucial. Don’t overlook different kind of enumeration, eventually you’ll land in the right place. Read carefully all messages so you can “steal” the opportunity to to something evil. With the help of Google you’ll understand what to do to go further.
User: Enumeration (not necessarily with classical tools), dig well from the starting point and go grab what you need.
Root: Enumeration on permissions, was not so hard but I liked.

Thanks for the box!

Rooted, very fun box;)

PM me to get some hints.

Just Finished the Box. If help needed just send me a message. :slight_smile:

I’ve found m****e but unsure where to go from here, could anyone please give me a nudge in the right direction?

Type your comment> @stonecreek said:

I’ve found m****e but unsure where to go from here, could anyone please give me a nudge in the right direction?

You must to get a teacher account. Find a teacher online, and try to steal his account with a well know vuln (not a cve). :wink: