Epitaph of Entropy

During a recent assessment I was able to upload a meterpreter ASP payload and execute it on an IIS 5.1 system.  getuid showed that I was IWAM_systemname and attempts to escalate privileges with both getsystem and the AtAbuse meterpreter scripts were not providing escalation.  After some googling I stumbled across the idea to pivot to localhost.

This idea blew my mind in two ways.  First, the amount of vulnerabilities grows substantially when you have access to services listening on localhost, and in most cases interaction with them bypasses any safeguards put in place like a firewall, in the assessment case I was able to pop the box with MS08-067. Secondly, why would a company (Microsoft) go to such lengths to restrict a service to a jail, but allow that user to have routing privileges?  I get it, it is an internet service, it needs to have access to networking to create listeners and potentially do routing, but still.

Anyways, wanted to document this so I don't forget it.  Hopefully a lot more of these will be posted in the future.