# Request Tracker (RT)

Open-source ticketing system by Best Practical Solutions.

**Common Path:** `/rt/`

***

## Discovery

```bash
# Look for RT paths
/rt/
/rt/login
/rt/NoAuth/Login.html

# Version in footer
»|« RT 4.4.4+dfsg-2ubuntu1 (Debian)
```

***

## Default Credentials

| Username | Password   |
| -------- | ---------- |
| `root`   | `password` |
| `admin`  | `admin`    |

***

## Post-Authentication Enumeration

### Users

```
Admin → Users → Select
```

Look for:

* Additional usernames
* User comments (often contain temp passwords like "Initial password set to Welcome2023!")
* Email addresses

### Tickets

Browse tickets for:

* Sensitive attachments
* Passwords in ticket body
* Internal hostnames/IPs
* Application names/versions

***

## Interesting Endpoints

| Path                               | Description                                      |
| ---------------------------------- | ------------------------------------------------ |
| `/rt/Admin/Users/Modify.html?id=X` | User details (may contain passwords in comments) |
| `/rt/Ticket/Display.html?id=X`     | View ticket                                      |
| `/rt/Search/Results.html`          | Search all tickets                               |
| `/rt/Admin/`                       | Admin panel                                      |

***

## Known Vulnerabilities

### CVE-2022-25802 - XSS

Stored XSS in ticket subject/body.

### CVE-2021-38562 - Information Disclosure

Unauthenticated user enumeration via timing attack.

***

## Config Files

```
/opt/rt4/etc/RT_SiteConfig.pm
/etc/request-tracker4/RT_SiteConfig.d/
```

May contain database credentials:

```perl
Set($DatabaseType, 'mysql');
Set($DatabaseUser, 'rt_user');
Set($DatabasePassword, 'password');
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/request-tracker.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.