Welp, I get to start in an area that I probably know least about, Windows. I’m sure someday I’ll look back and think this was silly easy, because of the fact that I have access through one set of credentials. However, the goal is to get administrator, or even better, system access. So I’m learning about how Windows keeps track of that sort of thing.
Starting with Security Accounts Manager (SAM), the database of where password hashes are stored. At this point, I’m guessing it’s akin to the /etc/shadow file. Now to figure out where it is and how to access it, because it appears that only the system level user actually has access.