Official Schooled Discussion

Type your comment> @0xffe4 said:

Stuck at privelege escalation part.
Found misconfiguration but have no idea how to exploit it.
Can someone kindly nudge me in right direction?

Stuck with privesc either. Found the misconfiguration but have no idea about how to proceed. Can anyone give me a nudge?

Cheers for the box @TheCyberGeek, I’ve been always thinking if one of these was possible to pull off and loved how the initial exploit worked!


Use your noodle, you’ll likely know what you need to get, but be sure to checkout the rate matrix for this box. My biggest tip would be to think about this box as though it is REAL and not a challenge hosted on a isolated network. The type of exploit will become clear when you find it although implementing it can be fiddly. (A certain type of meat can help)


Simple enumeration that I rushed (cheers @AbuQasem for the nudge).


You’ll likely find the “misconfiguration” that is mentioned previously. It seems hard to exploit but I would recommend reading the Git README for it - if you are stuck

PM for more nudges but be sure to tell me how much you’ve found

Fun box overall, but no one is here for my opinions, so here are your hints:


This was great: it’s a very “real life” attack vector and there should definitely be more boxes like this one. I tend to not even look at things like this in HTB machines, luckily there is a big hint once you get access to the application, I would have never even tried it otherwise. Just enumerate a bit, do some research on the application and don’t exclude anything from your attack tree just because “well, it’s HTB”.


An evergreen, not very much to say.


Wait, what day is it? I’m sure I have done this already last week… There must be some glitch in the matrix.

As usual, feel free to PM me if you want cryptic hints, but be patient as I can’t be very responsive. Also do your homework, ask smart questions and make sure you showcase your assumptions and attack process: don’t just ask me to build one for you.

please, don’t just say “I’m stuck” or “I don’t know what to do”. Be familiar with this concepts (read introduction at least) before sending me DMs: How To Ask Questions The Smart Way

Great one, thank you :slight_smile:

Can someone DM to help? :slight_smile:

└──╼ $nc -lvnp 9001
listening on [any] 9001 …
connect to [10.10.14.XXX] from (UNKNOWN) [] 60351




uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

ROOTED. Foothold is frustrating for me. and getting to root is the easiest one.
message me for hints

Getting root was hardest part for me :smiley:
Privilege escalation itself is obvious, but implementing it takes some time if you aren’t familiar with freebsd.

Also big thanks to @AbuQasem for giving me tips about implementation part.

Well I’m pretty stuck. I’m in as a teacher but I’m not sure what to aim for next. Hoping to find something that I can abuse.

Any hint to get into teacher?

Type your comment> @0xffe4 said:

Getting root was hardest part for me :smiley:
Privilege escalation itself is obvious, but implementing it takes some time if you aren’t familiar with freebsd.

Also big thanks to @AbuQasem for giving me tips about implementation part.

You’re welcome ?

Spoiler Removed

Type your comment> @chiakheewei said:

Any hint to get into teacher?

The hint is already given my the Teacher in his message to the new enrolled students.

@chiakheewei said:

Any hint to get into teacher?

Have a look at what’s been posted on the website. Specifically looking for anything that should be seen by a lot of people… Now, mess around with it (the thing that’s mentioned).

need help for root . an anyone help me

Still stuck as a teacher. I can’t seem to figure out how to abuse any of the vulnerabilities in this software.
Probably because I don’t have a template to base my attack from. Or maybe I’m going about it the wrong way.

At the risk of sounding like a wank… This community is brilliant. I’ve finally got a decent foothold on this box. I got nudges to a vulnerability that I had missed and I’ll not make that mistake again. At least not until the next time. I would not have figured that out alone.

I have enumerated all the things and found the place to learn. I have found several exploits, but none that would look like they worked and one that I thought would work if I gave it some info from the place where I learn. Can someone help me out with the exploit for initial foothold?

I though if I found the application version that would help me out but I have still not found it.

So I have managed to “cross” over to teacher user, but not sure where to go from here. I have seen authenticated exploits, but haven’t found a way to pop that shell yet. any nudges would be appreciated

Theres people here saying that getting the root was the easiest part, but i’m really struggling on that! I know what to do but just not how to build it. And every article I read I get more confused about it xD
So I could really appreciate if someone could DM me with a help.

User owned :slight_smile: very nice box yet again!

reminded me a bit of htb-teacher box and htb-crossfit box

on my way to root ^^

Edit: Rooted! Thanks @TheCyberGeek !