From nmap, there is http service. And from gobuster, there is a transfer.aspx page.

Local Picture

This is the web page, and we can upload files.

Local Picture

I tried to upload a php reverse shell, but failed.

Local Picture

I later found that we can upload .config file. After googling, I found the article https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/ for RCE with a web.config on IIS.

Local Picture

I upload a web.config containing reverse shell. Access it in directory /uploadedfiles/web.config. I get the reverse shell.

Local Picture

With whoami /priv, I saw that SeImpersonatePrivilege is enabled. That is, Juicy Potato may work.

Local Picture

Prepare a run.bat to execute powershell reverse shell script.

Local Picture

Run Juicy Potato with process run.bat.

Local Picture

Finally, we get a reverse shell as administrator.

Local Picture