On search sploit, we can find remote command execution exploits, just need to find out if the exploit requires the user to be authenticated
First we locate nc.exe. Well i know i have a lot, but we only need one, and we are using the one with windows-binaries since we are dealing with windows machine
First we look at the systeminfo to understand our machine. I recently found that there is this script called Windows-Exploit-Suggester, that detect potential missing patches on the target in order for a user to exploit it. Here are the steps.
Run the exploit script with the systeminfo and the updated xls file, and you can find several privilege escalation exploit script
So with the c script, we have to compile it to a executable file, since it is windows, and on the script there are links to the exe file under CVE-2016-7255
Hmm.. the exploit does not work. But we have a lot more to try, so we shall not waste time on this. The next one is MS16-098, an integer buffer overflow, again buffer overflow can allow us to get a root shell so this is not to be left out