21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 7.5
Anonymous ftp upload to web root with aspx shell
This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.
Anonymous login allowed.
Upload a test file to see if it is executed
Test to see if file is accessible remotely:
Now generate and an aspx shell.
Open msfconsole and set a listener.
Upload vdk.aspx via anonymous ftp
Request the file with curl
Watch your listener spawn a shell.
Enumerate the system for privesc opportunities with local exploit suggester.
Execute the exploit
Check we have system access
Collect the flags: