80, 8065
80
delivery.htb
helpdesk.delivery.htb
If I create an account with a specific email first, and then use that email to check ticket status, I get an error saying account validation required.
If I use an email I haven't used before as a guest, then I can open it using 'Check Ticket Status'. And it gets us logged in!
/tickets.php
With that information, I created a new ticket with email [email protected]. And got the email address: [email protected] and ticket number: 8260103
The email has the ticket number. Thats a bad misconfiguration.
This is a logic flaw in osTicket’s email handling that allows an email verification bypass. osTicket assigns a unique ticket-specific email (e.g., [email protected]) that automatically appends any incoming emails to the ticket thread. If the system does not restrict users from registering with these internal ticket emails, an attacker can submit a guest ticket, obtain its ticket email, and use it to register an account. Since the verification email is sent to this address and gets logged in the ticket thread, the attacker can retrieve the verification code without access to a real inbox, bypassing email verification entirely. This misconfiguration allows unauthorized account creation, which could lead to privilege escalation or further exploitation.
8065
Registering here requires an @delivery.htb email address which we have access to now. And, it will also require email verification which is not a problem now as we have access to the code from the support ticket thread.
And voila!
It says credentials to the server itself so I tried SSHing and it worked!. I can also see there is an internal password re-use issue which are variants of PleaseSubscribe! might wanna create a custom word list using a password generator.
Last updated