The MSP Startup Pwnbox Architecture

Windows

Enumeration

Open Services:

  • SSH (22/tcp)
  • WordPress (80/tcp) - Running in Docker container
  • Mantis Bug Tracker (55555/tcp) - External ticketing system
  • Lansweeper 10.1.1.0 (internal) - Asset management system

Attack Flow

graph TD A[WordPress] -->|CVE-2025-2594| B[WordPress Admin] B -->|DB Credentials| C[MantisBT Login] C -->|CVE-2019-15715| D[Reverse Shell] D -->|Network Scan| E[Lansweeper 10.1.1.0] E -->|CVE-2022-29517| F[SYSTEM Shell] F -->|Access root.txt| G[Administrator Desktop] style A fill:#4ade80,stroke:#333 style G fill:#f87171,stroke:#333

Detailed Steps

1. WordPress Enumeration

Company Overview:

  • MSP (Managed Service Provider) serving multiple enterprise clients
  • Pride themselves on a state-of-the-art asset management system
  • Highly organized IT infrastructure management structure

About Us Page Findings:

  • Lists key staff members and their roles
  • Interns are mentioned with their full names and responsibilities
  • Subtle hints about interns using simple password policies
  • References to internal documentation about password policies

Exploitation:

  • Identify vulnerable plugins in use
  • Gain admin access through plugin exploitation
  • Extract credentials from WordPress database
  • Focus on intern credentials with weak password policies

2. Mantis Bug Tracker Exploit

- Use credentials from WordPress database to access MantisBT - Exploit CVE-2019-15715 for remote code execution - Gain initial shell on the web server

3. Privilege Escalation

- Discover internal Lansweeper 10.1.1.0 service - Exploit CVE-2022-29517 (Devil's Lanmine) - Gain SYSTEM shell on the Windows host - Access root.txt on Administrator's desktop

Key Points

🔗 References & Resources

HTB Machine Submission

Lansweeper 10.1.1.0

Mantis Bug Tracker (v2.3.0)

WordPress Setup

Windows Server Setup