# Intro - [osTicket](https://osticket.com/) is an open-source support ticketing system - Works similar to Jira, OTRS, Request Tracker, and Spiceworks - osTicket can integrate user inquiries from email, phone, and web-based forms into a web interface - osTicket is written in PHP and uses a MySQL backend # Footprinting/Discovery & Enum - The landing page has clear branding and `burp` will show an associated `OSTSESSID` cookie upon visiting the page ![[images/Pasted image 20260124205044.png]] - Most osTicket installs will showcase the osTicket logo with the phrase `powered by` in front of it in the page's footer ![[images/Pasted image 20260124205053.png]] - The footer may also contain the words `Support Ticket System` -  `nmap` will show info about the webserver, such as Apache or IIS, but will not help us footprint the app - `osTicket` is a web application that is highly maintained and serviced - If we look at the [CVEs](https://www.cvedetails.com/vendor/2292/Osticket.html) found over decades, we will not find many vulnerabilities and exploits that osTicket could have # Attacking osTicket - A search for osTicket on exploit-db shows various issues, including remote file inclusion, SQL injection, arbitrary file upload, XSS, etc. - osTicket version 1.14.1 suffers from [CVE-2020-24881](https://nvd.nist.gov/vuln/detail/CVE-2020-24881) which was an SSRF vulnerability - If exploited, this type of flaw may be leveraged to gain access to internal resources or perform internal port scanning - Aside from web app vulns, support portals can sometimes be used to obtain an email address for a company domain, which can be used to sign up for other exposed apps requiring an email verification to be sent - Upon submitting a test ticker, we see the below email address ![[images/Pasted image 20260124205358.png]] - With the above in mind, if we can find an external portal such as a Wiki, chat service (Slack, Mattermost, Rocket.chat), or a Git repository such as GitLab or Bitbucket, we may be able to use this email to register an account and the help desk support portal to receive a sign-up confirmation email # Sensitive Data Exposure - Let's assume that we discover several user credentials using the tool [Dehashed](http://dehashed.com/) from OSINT and information gathering ```bash sudo python3 dehashed.py -q inlanefreight.local -p id : 5996447501 email : [email protected] username : jclayton password : JulieC8765! hashed_password : name : Julie Clayton vin : address : phone : database_name : ModBSolutions id : 7344467234 email : [email protected] username : kgrimes password : Fish1ng_s3ason! hashed_password : name : Kevin Grimes vin : address : phone : database_name : MyFitnessPal <SNIP> ``` - We have also performed subdomain enum and come across several interesting ones ```bash cat ilfreight_subdomains vpn.inlanefreight.local support.inlanefreight.local ns1.inlanefreight.local mail.inlanefreight.local apps.inlanefreight.local ftp.inlanefreight.local dev.inlanefreight.local ir.inlanefreight.local auth.inlanefreight.local careers.inlanefreight.local portal-stage.inlanefreight.local dns1.inlanefreight.local dns2.inlanefreight.local meet.inlanefreight.local portal-test.inlanefreight.local home.inlanefreight.local legacy.inlanefreight.local ``` - Upon browsing the the URL, `support.inlanefreight.local` is hosting an osTicket instance ![[images/Pasted image 20260124205728.png]] - Try the above creds - kevin appear to be a support agent ![[images/Pasted image 20260124205812.png]] -  From here, we could try this password against the exposed VPN portal at `vpn.inlanefreight.local` # Exercise - `ping` test ![[images/Pasted image 20260124210056.png]] - `nmap` scans ![[images/Pasted image 20260124210149.png]] ![[images/Pasted image 20260124210344.png]] - edit `/etc/hosts` ![[images/Pasted image 20260124210138.png]] - visit page ![[images/Pasted image 20260124210246.png]] - submit test ticket ![[images/Pasted image 20260124210317.png]] - an email address has been generated for our ticket ![[images/Pasted image 20260124210427.png]] - try to login as `jclayton:JulieC8765!` - access denied ![[images/Pasted image 20260124210557.png]] - try to login as `kgrimes:Fish1ng_s3ason!` - access denied ![[images/Pasted image 20260124210830.png]] - try to login as `[email protected]:Fish1ng_s3ason!` - failures - NOTE: there is a separate hyperlink to a login page for agents ![[images/Pasted image 20260124211332.png]] - try `[email protected]:Fish1ng_s3ason!` again - at agents portal ![[images/Pasted image 20260124211406.png]] - now we are into the `osTicket` web app ![[images/Pasted image 20260124211555.png]] - view ticket associated with Charles Smithson ![[images/Pasted image 20260124211653.png]]