# osTicket

## Overview

* Open-source support ticketing system
* Written in PHP with MySQL backend
* Often exposes company email domains

***

## Discovery

* Cookie: `OSTSESSID`
* Footer: "powered by osTicket"
* Default path: `/support/`

***

## Email Domain Exposure

### Attack Flow

1. Create support ticket on osTicket portal
2. osTicket assigns temporary email: `940288@company.local`
3. Use this email to register on other services (Slack, GitLab, etc.)
4. Verification emails appear in osTicket ticket thread

### Exploitation

1. Submit new ticket
2. Note assigned email (e.g., `940288@inlanefreight.local`)
3. Use email to register on:
   * Slack workspace
   * GitLab instance
   * Mattermost
   * Internal wikis
4. Check ticket for verification email
5. Complete registration on target service

***

## CVE-2020-24881 (SSRF)

**Affects:** osTicket 1.14.1

SSRF vulnerability to access internal resources:

```bash
# May allow internal port scanning
# May expose internal services
```

***

## Credential Reuse

If you obtain leaked credentials (via Dehashed, breaches):

1. Try credentials on osTicket admin panel
2. Admin panel typically at `/scp/`
3. Look for API keys, integrations, email configs

***

## Important Paths

| Path           | Description                 |
| -------------- | --------------------------- |
| `/scp/`        | Staff Control Panel (admin) |
| `/api/`        | API endpoint                |
| `/kb/`         | Knowledge base              |
| `/tickets.php` | Ticket submission           |

***

## Post-Access

If admin access obtained:

* Check `Admin Panel → Emails` for SMTP credentials
* Check `Admin Panel → API Keys` for API tokens
* Review `Admin Panel → Plugins` for integrations


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/osticket.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.