Every time I saw CSRF, I means SSRF.

00:40 - Begin of Recon
04:00 - Start of GoBuster
05:40 - Finding a SSRF
09:00 - Passing arguments to cmd.aspx via SSRF
12:05 - Firewall Enumeration
16:35 - Begin of setting up ICMP Reverse Shell
22:25 - Begin of sending ICMP Rev Shell to Server (Warning: Lots of Fail)
46:31 - Return of ICMP Rev Shell
52:20 - PrivEsc form IIS to Decoder
01:11:15 - Unzipping via Powershell
01:14:05 - Finding Administrator password hidden in NTFS File Stream
01:16:30 - Using Net Use to mount C: As Administrator
01:19:30 - Using IDA to analyze root.exe and grab the flag
01:24:15 - Using Invoke Command to execute root.exe as admin (Lots of Fail)
01:32:52 - Opening up the Firewall then just using RDP to gain access