- Enumeration. I started with a basic port scan and found that only a single port was exposed:
At first glance, having only port 80 open might seem limiting, but in practice, it narrows the attack surface and makes the next steps more focused. The most interesting finding here is the outdated version of IIS 6.0 in a combination with WebDAV.
2. Checking for exploits. Apparently the outdated version of IIS is exploitable with buffer overflow attack:
3. Exploitation. In this stage we gonna use Metasploit framework. First of all let's find a ScStoragePathFromUrl exploit and set the options:
As a result, we've successfully gained a session for a low privilege account:
After successfully exploiting the ScStoragePathFromUrl, I obtained a meterpreter session running under the NT AUTHORITY\NETWORK SERVICE account. At this point, I attempted to run a privilege escalation exploit — but immediately ran into the following error:
Operation failed: Access is denied
Initially, this was confusing. I already had a shell, so I expected post-exploitation modules to work without issues.
I thought that having a Meterpreter session meant I had a stable and fully usable foothold on the system. In reality, the session was tied to a specific process — in this case, the IIS worker process. This introduced two important limitations:
- The process itself had restricted permissions
- It was not stable (it could restart or terminate)
Why the error happens
Even though the session was running under NETWORK SERVICE , not all processes running under the same account have the same capabilities.
The exploit I attempted required interacting with the system in ways that the current process did not allow. The issue was the process context.
The missing step: process migration
The solution was to migrate the Meterpreter session into another process.
By listing running processes ps , I identified other processes running under the same account (w3wp.exe, davcdata.exe) and migrated to w3wp.exe .
Consequently, I used the local_exploit_suggester to find vulnerabilities:
And after using the kitrap0d exploit I was able to escalate privileges and gain NT AUTHORITY\SYSTEM
