Skip to content

osTicket

  • open-source support ticketing system like Jira, OTRS.
  • integrates user inquiries from email, phone, web-based forms into a web interface.
  • php and mysql, can be installed on Win/Linux
  • as seen in mr robot - https://forum.osticket.com/d/86225-osticket-on-usas-mr-robot-s01e08

Enum

  • from eyewitness results
  • set a OSTSESSID cookie when the page is visited.
  • most osTicket installs will showcase the osTicket logo with the phrase powered by in front of it in the page's footer. The footer may also contain the words Support Ticket System.
  • nmap scan would just show the server - IIS, Apache. not real use
  • osTicket is well maintained. less cves - https://www.cvedetails.com/vendor/2292/Osticket.html
  • Any Application can be broken down into:
    • |1. User input|2. Processing|3. Solution|

Attacking osTicket

  • https://nvd.nist.gov/vuln/detail/CVE-2020-24881 - ssrf to gain access to internal resources or perform internal port scanning.
  • Aside from web application-related vulnerabilities, support portals can sometimes be used to obtain an email address for a company domain, which can be used to sign up for other exposed applications requiring an email verification to be sent.
  • https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c
  • Suppose we find an exposed service such as a company's Slack server or GitLab, which requires a valid company email address to join. Many companies have a support email such as support@inlanefreight.local, and emails sent to this are available in online support portals that may range from Zendesk to an internal custom tool. Furthermore, a support portal may assign a temporary internal email address to a new ticket so users can quickly check its status.

osTicket - Sensitive Data Exposure

  • use dehashed.py. - http://dehashed.com/
  • eg: start with inlanefreight.local
    • dehashed.py -d inlanefrieght.local
    • This dump shows cleartext passwords for two different users: jclayton and kgrimes
  • run subdomain enum to find subdomains.
  • most of them dont work
  • support.inlanefreight.local has osTicket
  • run gobuster to find directories
  • we see /scp/login.php
  • try the username/pass we found above
  • run through the website and we see another ticket which says vpn issue.
  • we find a password here, we could try this password against the exposed VPN portal as the user may not have changed it.