# Nmap 7.70 scan initiated Sun May 5 23:42:47 2019 as: nmap -Pn -T4 –max-retries 1 –max-scan-delay 20 –defeat-rst-ratelimit –open -oN nmap/Quick_10.11.1.229.nmap 10.11.1.229 Warning: 10.11.1.229 giving up on port because retransmission cap hit (1). Nmap scan report for 10.11.1.229 Host is up (0.29s latency). Not shown: 988 filtered ports, 3 closed ports Some closed ports may be reported as filtered due to –defeat-rst-ratelimit PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 110/tcp open pop3 135/tcp open msrpc 139/tcp open netbios-ssn 143/tcp open imap 1025/tcp open NFS-or-IIS 3389/tcp open ms-wbt-server MAC Address: 00:50:56:93:4C:3D (VMware)

# Nmap done at Sun May 5 23:43:11 2019 – 1 IP address (1 host up) scanned in 24.16 seconds

80 run a webdav server

put copy and move is allowed

but asp or aspx is not allowed

other file type is not supported or not allowed

IIS 6.0 webdav has a exp that .asp;.txt is allowed

windows 2003 with the user

we have could use something to priv esca

https://simonuvarov.com/privilege-escalation-via-token-kidnapping/