Start the recon process by running Nmap against our target (on 10.10.10.5) which reveals an FTP server open for anonymous connections on TCP port 21.

We can log in there and, at first glance, there’s nothing interesting:

The Nmap scan also reveals there’s an HTTP server running on port 80. By opening our browser on http://10.10.10.3:80 we can clearly see an IIS7 default screen:

Looking for IIS exploits using searchsploit we found this: