Skip to content

Latest commit

 

History

History
90 lines (61 loc) · 1.45 KB

File metadata and controls

90 lines (61 loc) · 1.45 KB

Request Tracker (RT)

Open-source ticketing system by Best Practical Solutions.

Common Path: /rt/


Discovery

# Look for RT paths
/rt/
/rt/login
/rt/NoAuth/Login.html

# Version in footer
»|« RT 4.4.4+dfsg-2ubuntu1 (Debian)

Default Credentials

Username Password
root password
admin admin

Post-Authentication Enumeration

Users

Admin → Users → Select

Look for:

  • Additional usernames
  • User comments (often contain temp passwords like "Initial password set to Welcome2023!")
  • Email addresses

Tickets

Browse tickets for:

  • Sensitive attachments
  • Passwords in ticket body
  • Internal hostnames/IPs
  • Application names/versions

Interesting Endpoints

Path Description
/rt/Admin/Users/Modify.html?id=X User details (may contain passwords in comments)
/rt/Ticket/Display.html?id=X View ticket
/rt/Search/Results.html Search all tickets
/rt/Admin/ Admin panel

Known Vulnerabilities

CVE-2022-25802 - XSS

Stored XSS in ticket subject/body.

CVE-2021-38562 - Information Disclosure

Unauthenticated user enumeration via timing attack.


Config Files

/opt/rt4/etc/RT_SiteConfig.pm
/etc/request-tracker4/RT_SiteConfig.d/

May contain database credentials:

Set($DatabaseType, 'mysql');
Set($DatabaseUser, 'rt_user');
Set($DatabasePassword, 'password');