First: Enumerate the folders that the users group have access to it

accesschk.exe -accepteula -wus "Users" c:\*.* > C:\RTO\fld-use.txt

Second: Enumerate the folders that the Authenticated Users group have access to it

accesschk.exe -accepteula -wus "Authenticated Users" c:\*.* > C:\RTO\fld-authusr.txt

Third: Open the file and investigate it

notepad c:\rto\fld-authusr.txt

Notice that we have RW access to the Putty Folder

Fourth: Replace any Putty.exe with our payload