Got brain damage on user payload.
C:\Windows\system32>whoami
whoami
nt authority\system
Is anyone else having issues getting the U****c to open a connection back while running the abusive command? It says it has completed but I am not getting a root shell.
Finally rooted. User part was hard for me, i got help for user part. Root’s part was easy but took some time 
User Hint: Look ports and search services. When you find a some creds think easy what you can do, then maybe you need to change somethings for get a shell.
Root Hint: Look what services are running. When you find it, google is your helper. How it can be exploit?
Spoiler Removed
for people that rooted the machine, what are you using to extract the administrator hash so I can look up some of these walkthroughs?
Finally got user! Yaaay!!!
The PoC did the trick and the solution is pretty simple (even if took me hours to accomplish), with no worries about where to save the payload!
I don’t know PS syntax so much, so I were overthinking about the payload instructions, and actually there are better tools than me to create good payloads…
Many thanks to @MrHyde for this help!
Type your comment> @menorevs said:
for people that rooted the machine, what are you using to extract the administrator hash so I can look up some of these walkthroughs?
yeah this is exactly why I don’t like the new dynamic flags 
made a thread about it here FYI: So how do we protect write ups now? - Writeups - Hack The Box :: Forums
Hey Guys, i’ve already found 3 username and 2 passwd (they should be) but none of them works… someone can PM me please?
Rooted 
Thanks to the creator .
Root is very strenghtforward once you find the service to exploit.
Feel free to PM if you need help
I got my PoC to work but for some reason my reverse shell is not. Can anybody send me a PM to discuss the different ways to upload it?
Type your comment> @MrFlash24 said:
I got my PoC to work but for some reason my reverse shell is not. Can anybody send me a PM to discuss the different ways to upload it?
You need to find a location where you can write to and execute it from.
can anyone help me with the exploit code ,i am getting an error ‘’‘requests.exceptions.MissingSchema’‘’.
I found the high port and have m*ted it. I can see s file and i know i need to look into it. But I cannot copy it locally.
Could anyone help if I am on right path
@unmesh836 said:
I found the high port and have m*ted it. I can see s file and i know i need to look into it. But I cannot copy it locally.
Could anyone help if I am on right path
I am not sure. The port certainly isn’t the highest and I dont know what the file is. If you have mounted it, you should be able to read it without needing to copy it locally - it just makes it a bit faster.
Not able to find a way to execute or download something via the POC. I was able to ping my kali machine with both cmd and powershell. I tried both http and smb for downloading, nothing works, anyone can DM me ?
Rooted.
What a fantastic box. I really enjoyed this one. I certainly learned something new. Lots of Rabbit Holes and I certainly fell into a few of them due to a lack of sleep.
Happy to help anyone out, just be a little descriptive regarding where you are and what you’ve tried.
I’m on road to root ,but while stop service U*c via "sc.exe stop Uc"
I got these error:
“”"
[SC] ControlService FAILED 1062:
The service has not been started.
“”"
can anyone help me???
Type your comment> @Twe1ve said:
I’m on road to root ,but while stop service U*c via "sc.exe stop Uc"
I got these error:
“”"
[SC] ControlService FAILED 1062:
The service has not been started.
“”"
can anyone help me???
That’s just because someone else has stopped it before you using the same command.
Can use ‘sc.exe qc u****c’ to query the status of a service.
can someone PM please i got the POC working can send stuff but cant execute it