IIT, a place where millions of dreams are broken and thousands are fulfilled. A tag that is eternal and prestigious. Well, let’s say they are no matter of joke in any field. Renowned people have carried this prestigious tag with pride. Even when it comes to security, IIT is not a laughing stock. SKIP TO CHAP 3 for technicals.

CHAPTER 1: Jack of all trades, Master of none!(MINDSET)

Jack of all trades and master of none, A famous quote, you definitely might have heard all the time when you want to pursue anything which is either not being a DOCTOR/ENGINEER or RABINDRANATH TAGORE(if Bengali). The quote actually being Jack of all trades, Master of none! , but often better than master of one. What is the moral you may ask? Sometimes widening your scope rather than looking for a known bug everywhere is wise.

CHAPTER 2:Aim above to hit the mark!

Steady eyes and determination is a loaded cannon!

So choosing a secure target or going against the wave is difficult and definitely one has to have a strong mindset to achieve it. Here one has to be confident in his skills and practice because without this comes demotivation. So choosing IIT, I dig deep every URL and every parameter has to be tested but I neither had the patience of a hunter nor I will. So I shortlisted 3 bugs, first was parameter tampering. The second was Broken Authentication and the third was sensitive file disclosure. After hours of grinding with burp suite, I gave up, it was hella secure and I couldn’t find anything. Then I had a cup of chai and decided to shortlist stuff and test them in detail.

Well said!

CHAPTER 3: Devil is in the details:

So i tamper around and i find this parameter:

I spent so much time fuzzing this but failed everytime, after bit of luck i strike this parameter:

getbrochure.htm

Now, this seems interesting, it requires a parameter called course_code, which I enter via the? syntax

At this point i have discovered 5 vulnerabilities but let's just focus on one today, the ?couse_code is added, let's see:

After a bit of digging around, i find nothing but another cup of tea helped and i sparked an idea, let’s brute force or sniper the number:

Here’s the logic, there has to be a number, now from intuition, the number would either be 4 or 6 digits, this comes from practice, and cannot be explained. If you are a true hunter, you would have figured it out else let me help you, Sniper in intruder;)

REQUEST

INTRUDER ATTACK:

Setting positions

Now by logic, the number has to be 4 or 6 digits, lets start with 4, choosing the number I set the min fraction to 0 and max frac to also 0 as well as min/max digits to 4 and set the payload from 999 to 10000. Now the interesting part, fire it off and I see gold, the not existent associated numbers have 295 lengths while I sort by length, I can simply use that numbers to see the juicy IIT files.

CHAPTER 4: Streisand effect:

Now you may ask what does this accomplish? I see sensitive files, thats all. Well yeah! Don’t Trust me?

I mailed them, and this was indeed a great journey, well in the end i would just like to say: No one has acheived greatness by playing it safe!

Key takeaways: Every system is different, built with its own set of functionality, features and nonetheless weaknesses;)

Want to realize the hard things in life?

A Security researcher, OSCP aspirants, Reads tons of books, critic and debate on literature and books!