Official Jab Discussion

Official discussion thread for Jab. Please do not post any spoilers or big hints.

Good luck everyone!

That was interesting.

1 Like

Might need some help on this one. Got any tips to keep in mind?

In the interest of fairness as seasonal is competitive, feel free to reach back out after the box has been live for 24 hours.

1 Like

Congrats on completing the box btw! Props, you got mad skills tbh

user on this one was tough

1 Like

Hey. Anyone else having an issue of a static root flag that is invalid on seasonal?

Got user, found some ideas for privesc but would rlly appreciate a bit of a nudge if anyone is up and willing to share :slight_smile:

Any hint for getting user?

(Owned Jab from Hack The Box!)

got some user list and stucked with it. any help

Neat box, feel free to contact me for nudges anytime.


What is a good library to talk xml with the service? Tried the python thing, which errors on the self-signed certificate. Tried a console variant that generates a segmentation fault.

Note that it is not needed for this box, but I tried a way to enumerate the vcards of the other users.

There’s the XMPP Console for that bird-thingy…

Yes thanks, I have used that. The thing is: How to read vcards of 2600+ users?



  • Box’s Name itself is a big hint what you have to explore.
  • Use a good Application to interact with the Service.
  • Don’t Forget AD basics.


  • You might have Encountered the Exploit about it if your initial enumeration phase.
  • Now you just have to make a connection to exploit it.

Feel Free to DM if you need some help.