🎯 Objective: Exploit osTicket support system for information disclosure and credential harvesting through ticket data access and social engineering vectors.
osTicket is an open-source PHP-based support ticketing system with MySQL backend. Often exposed externally, it can provide valuable intelligence including user credentials, email addresses, and internal system information through ticket conversations.
Question: "Find your way into the osTicket instance and submit the password sent from the Customer Support Agent to the customer Charles Smithson."
Target: support.inlanefreight.local (add to /etc/hosts)
# Add target to hosts file
echo "10.129.201.88 support.inlanefreight.local" >> /etc/hosts# Navigate to: http://support.inlanefreight.local/scp/login.php
# osTicket login page (staff control panel)Based on discovered credentials from OSINT/data breaches:
- Email:
kevin@inlanefreight.local - Password:
Fish1ng_s3ason!
# Login to osTicket staff panel with kevin's credentials
# URL: http://support.inlanefreight.local/scp/login.php- Access ticket queue (may show no open tickets)
- Check closed tickets for sensitive information
- Look for Charles Smithson ticket conversation
- Review agent-customer communication
In the ticket conversation between:
- Customer: Charles Smithson (VPN lockout issue)
- Agent: Kevin Grimes (password reset)
Extracted Password: Found in agent's message to customer
Answer: [PASSWORD_FROM_TICKET] (extract from actual ticket content)
- Email harvesting from address books
- Credential exposure in ticket conversations
- Internal system details from support communications
- Employee names/usernames for OSINT
- Create support ticket → get temporary company email
- Use for service registration (Slack, GitLab, etc.)
- Email verification bypass via ticket system access
- Staff impersonation through ticket system knowledge
- Standard password discovery (new joiner passwords)
- Password spraying targets from user lists
Sensitive Data in Tickets:
- 🔑 Default/temporary passwords
- 📧 Email addresses and usernames
- 🏢 Internal system information
- 🔐 Password reset procedures
- 👥 Staff contact details
Attack Chain Example:
- OSINT → Find leaked credentials
- Access osTicket → Staff panel login
- Ticket mining → Extract passwords/info
- Lateral movement → VPN/other services
- Password spraying → Standard passwords
Credential Sources:
- Data breach dumps (DeHashed, etc.)
- Password reuse across services
- Default credentials testing
Reconnaissance:
- Subdomain enumeration for support portals
- Staff email identification
- Service discovery for attack vectors
💡 Pro Tip: Support systems often contain the most sensitive internal communications - always check closed tickets for credential leakage and password reset conversations.