My blackhat stories- How I hacked my school and got a CVE for it.
Sorry, it took a while for this one, was having trouble deciding whether I should post this one or not but nonetheless an amazing story. So here’s the deal, during the pandemic I did not attend school at all. Now old me thought it was a good idea because I hate waking up early for classes. Working a job, handling projects, bug bounty, and everything is tiring so I skip the classes.
I get my midterm result. All good but the attendance is way lower than 75% which is mandatory for passing a class in school and yes it's taken very seriously. Now my heart is pounding because I'm definitely going to fail. The teacher also warns me regarding my low attendance but I'm sure they will make an exception for the pandemic, right? Wrong they’ll not.
Well then desperate times call for desperate measures, i calculated and even if i attend all the classes which ill definitely not, still would not get a 75% so i get to work. My school has ERP solution, for those who are unaware, ERP solution are software basically used to track things like payments, notices and best part ATTENDANCE. So i have to somehow hack it right?
I see there are no seperate portals for payment of fees and student tracking, so basically, school gives 2 ID, one for parents and another for student. The student id starts with “S” and the parents start with “P”. Example: ID = 12353 then the student will log in to track progress via s12353 and parents to pay fees and stuff via p12353. Interesting!! The passwords i cannot disclose but they are a predictable default combination of ID.
There is no rate limit, now due to the ID being predictable, we can run intruder to get into other students' accounts. HEHE, though this one will not help with our attendance but its still an account takeover. NGL i had a bit of fun sending random texts to their parents.
BACK TO THE POINT:
Now our objective is to change our attendance so if there is a parent log in, student's login then there has to be a teacher's login too. I tried several combinations of T along with intruder but none of them worked:(
After several attempts I found that f followed by the code works now for those of you who are unable to grasp the logic, the code or ID will be from 9999–100000, and due to no rate limits I found all the teachers, I then had to seek through the response to see my teachers name. which I found.
Then there was a beautiful screen to manually enter attendance for the day along with graphs.
There were other options but none of the teachers would upload papers:(.
I will not confirm or deny if I changed the attendance but will show you a picture for you to be the judge.
Did i get caught?
Nope! we have a lot of students and the teacher did not notice since mark sheets are generated and a PDF was sent during the pandemic so yaay I guess. Again to reiterate you should not do this and i don’t condone these activities. That being said i think attendance is a bit useless, not all people learn the same way, for instance, I got great grades but had a low attendance so yeah.
Putting on the white hat:
Late night i felt bad so at the beginning of this year, i reported this vulnerability. Everything was done but at the end of the day i am an ethical hacker so i report this vulnerability and CVE-2022–30076 is assigned to me, it's been months and still, the vendor has not fixed it because who knows why so bad luck. I can still find 100s of ERP in shodan with same issue but yeah my work as an ethical hacker ends here.
Moral/Conclusion: As a wise person once said, Do not miss classes especially if you cannot hack.
Let me know if you’re enjoying blackhat stories, i might soon get banned but until then it might be worth it. PS: follow me on Twitter for questions. Let me know if i should continue this blackhat series. Will be more regular with live bug bounty targets too. BYEEE!