How can an attacker bypass a firewall that only allows port 80 or 443 to remotely manage a Windows server using the WinRM service?

An attacker can reconfigure the WinRM service to listen on port 80 or 443 instead of its default port 5985. This is possible because Windows HTTP.sys allows multiple processes to share the same port. By running a command like `winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port="80"}` and enabling compatibility mode with `EnableCompatibilityHttpListener`, the WinRM service can reuse port 80. For more details, see the original article Bypassing firewall using IIS port sharing feature.