osTicket Attacks

🎯 Objective: Exploit osTicket support system for information disclosure and credential harvesting through ticket data access and social engineering vectors.

Overview

osTicket is an open-source PHP-based support ticketing system with MySQL backend. Often exposed externally, it can provide valuable intelligence including user credentials, email addresses, and internal system information through ticket conversations.

HTB Academy Lab Solution

Lab: Credential Extraction from Support Tickets

Question: "Find your way into the osTicket instance and submit the password sent from the Customer Support Agent to the customer Charles Smithson."

Target: support.inlanefreight.local (add to /etc/hosts)

Step 1: Setup vHost Resolution

# Add target to hosts file
echo "10.129.201.88 support.inlanefreight.local" >> /etc/hosts

Step 2: Access osTicket Interface

# Navigate to: http://support.inlanefreight.local/scp/login.php
# osTicket login page (staff control panel)

Step 3: Credential Testing

Based on discovered credentials from OSINT/data breaches:

  • Email: kevin@inlanefreight.local

  • Password: Fish1ng_s3ason!

# Login to osTicket staff panel with kevin's credentials
# URL: http://support.inlanefreight.local/scp/login.php

Step 4: Ticket Investigation

  1. Access ticket queue (may show no open tickets)

  2. Check closed tickets for sensitive information

  3. Look for Charles Smithson ticket conversation

  4. Review agent-customer communication

Step 5: Password Extraction

In the ticket conversation between:

  • Customer: Charles Smithson (VPN lockout issue)

  • Agent: Kevin Grimes (password reset)

Extracted Password: Found in agent's message to customer

Answer: [PASSWORD_FROM_TICKET] (extract from actual ticket content)

Attack Vectors

1. Information Disclosure

  • Email harvesting from address books

  • Credential exposure in ticket conversations

  • Internal system details from support communications

  • Employee names/usernames for OSINT

2. Email Address Generation

  • Create support ticket β†’ get temporary company email

  • Use for service registration (Slack, GitLab, etc.)

  • Email verification bypass via ticket system access

3. Social Engineering

  • Staff impersonation through ticket system knowledge

  • Standard password discovery (new joiner passwords)

  • Password spraying targets from user lists

Common Findings

Sensitive Data in Tickets:

  • πŸ”‘ Default/temporary passwords

  • πŸ“§ Email addresses and usernames

  • 🏒 Internal system information

  • πŸ” Password reset procedures

  • πŸ‘₯ Staff contact details

Attack Chain Example:

  1. OSINT β†’ Find leaked credentials

  2. Access osTicket β†’ Staff panel login

  3. Ticket mining β†’ Extract passwords/info

  4. Lateral movement β†’ VPN/other services

  5. Password spraying β†’ Standard passwords

Key Techniques

Credential Sources:

  • Data breach dumps (DeHashed, etc.)

  • Password reuse across services

  • Default credentials testing

Reconnaissance:

  • Subdomain enumeration for support portals

  • Staff email identification

  • Service discovery for attack vectors

πŸ’‘ Pro Tip: Support systems often contain the most sensitive internal communications - always check closed tickets for credential leakage and password reset conversations.

PreviousLDAP Injection AttacksNextPRTG Attacks

Last updated