intro

with an unrestricted file upload on IIS web server we gain RCE. web shell> reverse shell > priveEsc with https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 but pwsh is blocked .

transfer a binary using https://github.com/itm4n/PrintSpoofer> use certutil to download a compiled file from github> web content filtering* cant access sites

set up ftp server> windows ftp client> outbound blocked by firewall on 21

impacket smbserver https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbserver.py to create a folder> outgoing on 445 allowed> copy bin to target > privesc

windows file transfer methods

Linux file Transfer methods

With code

Miscellaneous