First: Enumerate the folders that the users group have access to it

accesschk.exe -accepteula -wus "Users" c:\\*.* > C:\\RTO\\fld-use.txt

Second: Enumerate the folders that the Authenticated Users group have access to it

accesschk.exe -accepteula -wus "Authenticated Users" c:\\*.* > C:\\RTO\\fld-authusr.txt

Third: Open the file and investigate it

notepad c:\\rto\\fld-authusr.txt

Notice that we have RW access to the Putty Folder

Fourth: Replace any Putty.exe with our payload