Rooted
User: You have one password, try to get it working. Something evil happens when SysAdmins are lazy. Then go to the roots and force your way in
Root: You will find what you will abuse. After that I´ll say following: The file you will use can be remotely or on the machine. For the second way it doesn’t matter where it is but you have to make it by yourself or the AV will nuke it, poison doesn’t work.
If you go by the remote path trust in impacket and his servers before you use a native tool. As bonus you will see with impacket if it really gets contacted and you will know that the file is on his way to the machine