with an unrestricted file upload on IIS web server we gain RCE. web shell> reverse shell > priveEsc with https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 but pwsh is blocked .
transfer a binary using https://github.com/itm4n/PrintSpoofer> use certutil to download a compiled file from github> web content filtering* cant access sites
set up ftp server> windows ftp client> outbound blocked by firewall on 21
impacket smbserver https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbserver.py to create a folder> outgoing on 445 allowed> copy bin to target > privesc