The OSTicket web application will provide an email account in its domain when a support ticket is raised. We can use this email address to log into Mattermost. In Mattermost, we find an exposed credentials, which can be used to SSH into the server. In the server, we can use credential hunting to get the password of root in the database or brute force with sucrack.
Using the provided credentials, we can log in via WinRM. Then, we collect information for Bloodhound. With this information, we change the password of Micheal user, then the password of benjamin. Benjamin is able to access the FTP service and retrieve a psafe3 file. After cracking the hash, we retrieve the credentials of Emily. Emily is able to perform targeted kerberoasting on Ethan. As Ethan, we can perform DCSync and retrieve the Administrator hash. Finally, we pop a SYSTEM shell via psexec.
In this box, we take advantage of exposed GPP. With the creds, perform kerberoasting. We are able to crack the TGS we kerberoasted, which is an administrator account. Using ps-exec, we can get a SYSTEM shell.
This blog post contains writeups for PHP-Redis (SSRF) and AJAX Amsterdam (Broken Access Control)
A writeup about how XSS can lead to RCE and how desktop apps can be vulnerable to XSS too
