As a pentester, I love server-side vulnerabilities more than client-side ones. Why? Because it’s way much cooler to take over the server directly and gain system SHELL privileges.

Of course, both vulnerabilities from the server-side and the client-side are indispensable in a perfect penetration test. Sometimes, in order to take over the server more elegantly, it also need some client-side vulnerabilities to do the trick. But speaking of finding vulnerabilities, I prefer to find server-side vulnerabilities first.

31st August 2016

VTU announced the 2nd semester choice based credit system results. looking at the grades I was happy with the results.

From a pentester’s view, I tend to know  how the website functions I had that adventure to get to know and learn everything.

About VTU

Visvesvaraya Technological University (VTU) is a collegiate public state university in Karnataka, India. It was established by the Government of Karnataka.

VTU is one of the largest universities in India with 212 colleges affiliated to it with an intake capacity of over 467,100 undergraduate students and 12,666 postgraduate students. The university encompasses technical and management fields which offers a total of 30 undergraduate and 71 postgraduate courses. The university has around 1800 PhD candidates.

VTU has 13 QIP centers and 17 extension centers in its affiliated colleges offering postgraduate courses. It has around 2,305 departments recognized as research centers which are spread across its affiliated institutions in cities of Karnataka.

Just a quick glance at how big VTU is

VTU offers undergraduate engineering programs that award a Bachelor of Engineering (BE) or Bachelor of Technology(B.Tech) degree. The university offers postgraduate programs that lead to Master of Technology (M.Tech), Master of Science(MSc) by research, Master of Business Administration (MBA), Master of Computer Applications (MCA) and doctorate (Ph.D). The MSc and PhD are research degrees while the rest are taught degrees.

Okay, enough. How on earth did you hack VTU?

We are living in the world of Internet right now, where everything is connected to Internet and anything which is connected to Internet is easily exploited. According to me, NOTHING or NOBODY is safe when it comes to privacy or security.

Speaking of privacy it died when you guys accepted all terms and conditions without reading any one of them. People just choose security over privacy.

Day 1, 31st August 2016

My Friend, who knew that I knew something about hacking (completed C.E.H at the age of 17) advised me to do something to the website. At first I hesitated. Obviously I knew it was not that easy to hack VTU servers also doing  so I would end my life behind bars if something goes wrong.

To be honest even never dreamed that I would successfully compromise the servers. I thought VTU would take the security measures.they would secure their servers at any cost.

Later that evening when I was back to home from college, I checked my grades once again and saw the URL of the website which was

http://result.vtu.ac.in/cbcs_results2016.aspx?usn=1*******31&sem=2

That was the AHA MOMENT for me.

The URL was catchy and it was not encoded and no validation added to that particular GET request. I have done many projects on building website wordpress,magneto,Java web applications,drupal,joomla etc.but I never worked on .net websites so I wanted to know how this website were built and functions. did a research and found this.

  1. Notice results2016.aspx?. An ASPX file is a server-generated web page that may contain VBScript or C# code. It is often written with Microsoft Visual Web Developer and designed for the Microsoft ASP.NET framework.
  2. Now it’s clear that the server is Windows. Notice usn=*****&sem=2 Here usn and sem are the GET id which I ask the server to provide the info.
  3. All it does is creates an SQL query asking  database to provide the output. The SQL query is “select * from database_name where usn=**MyUSN**&sem=2”
  4. Looking at this I wanted to know if SQL Injection works.
  5. Fired up my Firefox  had a handy extension installed called “HACKBAR”. SQL injection techniques just  inserted a comma at the end of URL to check if the website was vulnerable.
  6. Although I did not get any SQL error message but it failed to fetch the data from the database.

And the adventure began…

I wanted to know that instead of giving out my usn and sem. can I send some other SQL queries.

Thanks to Bernardo Damele A. G, the founder of open source database take over tool called “SQLMAP” I started testing the web application with SQLMAP.

With few basic trial and error methods and with extreme patience finally I got the injection point and could read and dump all the database which belongs to result.vtu.ac.in

Took the screenshot so that I could submit it to the VTU officials one day.

Pantomath.xyz

Sigh of a relief that my time had not been wasted till then

Above screenshot which was taken while penetration testing shows 9 Databases

NOTE: I’m not an EVIL Hacker. Not even thought of becoming a BLACK HAT. I just love testing and playing with servers it kind off adventure to get to know how the backend really works.

What will an Ethical Hacker do when he can read the database? Likely he will try to get the users and passwords

pantomath.xyz

So, now tried to get the MSSQL server 2005 database password. Yes did get the password but it was encrypted and hashed with SALT making it harder to decrypt.

I may have to blur the hashes for safety concerns.Pantoamth

I tried to crack the hash with hashcat and also with rainbow tables, unfortunately nothing seemed to be worked. I could not crack the password because the passphrase was complex.It was about 2 in the morning and I was tired. I decided to give up thinking nothing is going to work now.Hacking VTU is impossible and the server is secured.

Day 2, 1st September 2016

Back from the college at 4, Again could not get this VTU server thing out of my head. if I can get the password hashes there must be an some other way.

So went back to basics again scanned the whole website again. scanned the ports using NMAP.

  • Port-22 sshd was open but it was maintained by the CYBERROAM security company.
  • Port-80 Httpd 7.5 OPEN
  • Port-8080 https-alt closed.
  • Port-1433 ms-sql-server OPEN
  • Port-3389 RDP service OPEN

What is the difference between open port and closed port?

  • Closed Port: If you send a SYN packet to a closed port, it will respond back with a RST.
  • Filtered Port: Presumably, the host is behind some sort of firewall. Here, the packet is simply dropped and you receive no response (not even a RST).
  • Open Port: If you send a SYN packet to an open port, you would expect to receive SYN/ACK.

To be clear, Consider a open port as your friend when you send an SYN packet(Good Morning) to your friend you would expect him to reply back with SYN/ACK(Good morning). Consider an Filtered Port as an teacher when you send an SYN packet(Hi) to your teacher. The teacher may or may not reply depending on the teacher ie firewall configuration. Consider an Closed Port as an Princi where you cannot talk. all the packets sent do not reach him.

Now the more details about the Server the easier to find the vulnerability.

By crawling deep into the website I did find some useful URLS. This confirmed me that CYBEROAM was provding the so called security and hardware resources to the VTU. Which had no impact. They just failed to secure vtu servers.
pantomath.xyz

Tried to bruteforce the logins of the CYBERROAM admin panel. Hoping so username would be Admin and password would be [email protected] exactly like my Computer HOD’s login.

How did I come to know my HOD’s Login?. Shoulder surfing..  :P. Obviously brute forcing the users and password did not work.I did not use many wordlists trying out too many login attempts at short interval of time may raise few eyebrows.

I knew now I’m dealing with someone stronger than VTU when it comes to cyber security but I had no fear. Because my main aim of penetration testing was to find some vulnerability and report it not to misuse.

FAILED, again very frustrated had to calm myself down. Did a fun chat with Cyberroam 😛 

[tie_slideshow]

[tie_slide] pantomath.xyz [/tie_slide]

[tie_slide] pantomath.xyz [/tie_slide]

[tie_slide] pantomath [/tie_slide]

[tie_slide] pantomath [/tie_slide]

[tie_slide] pantomath [/tie_slide]

[tie_slide] pantomath [/tie_slide]

[tie_slide] pantomath [/tie_slide]

[tie_slide] pantomath [/tie_slide]

[/tie_slideshow]

Day 3, 2nd September 2016

Back to ZERO..What to do next? Give up?

Nah? Keep doing something unless or until you get to it. I fired up Msfconsole and tried to get meterpreter session by SQLi injection.
pantoamth.xyz

Tried several exploits. I don’t have a Metasploit pro version which has latest exploits Guys if your reading this “Please get a Metasploit pro for free..”
Pantomath.xyz

There were so many instances that made me feel to quit. Even stopped all the process switched off my PC. and again just could not get this thing out of my mind.

It kept taunting me. As many get addicted to smoking, drinking & drugs it was a clear sign that I was Addicted to hacking. Sleepless nights constantly forcing me to hack the server.

It was really hard to find the right vulnerability and get the system.

While trying so many different ways to get into the server, finally with some advanced sqlmap tool using –tamper and –level –risk finally got the –os-shell.

The sqlmap automatically enable the xp_cmdshell module in that database which gets the os-shell.

So finally, I got the Actual OS-shell i.e CMD of the Remote Server

What is CMD? 

The Command Prompt in Windows provides access to over 280 commands! These commands are used to do certain operating system tasks from a command line interface instead of the graphical Windows interface we use most of the time.

Hence when you have an os-shell what else you can do? The answer is anything. I was still looking for the full details about the server here is the screenshot of the systeminfo command.

pantomath.xyz

Went through each and every drive. I almost had access to all the files which is stored in the VTU server.when you have and actual Administrator shell what can we do? Almost Everything.

NOTE: I did not delete modify or alter any file which was saved on the server. All I was doing for good cause.

Enumerated the users surprisingly there were 4 users.

  1. Administrator ( default one and every windows computer has one)
  2. admin
  3. guest
  4. guest1

I did Actually reset the Administrator password by using net user * command.

Successfully changed the Administrator password. And now I was afraid and concern because remote desktop connection can log out current user and ask for my credentials as windows is not a multi-user operating system.
pantomath.xyz

Connected to Server by using Guest as the username just to check if Remote Desktop connection is enabled. Remember on Day 2, 1st September 2016 when I scanned the whole website port no 3389 was open which indicates that rpd Remote Desktop Protocol was enabled.

Again, Luckily everything seemed to be going okay from the moment when I had the os-shell.

USERNAME: ADMINISTRATOR

PASSWORD: which had been reset by me from sql injection.

The moment when computer was logged in.

The sql server database was already logged on so that I don’t waste time guessing the same password again.

It presented with a beautiful screen of the 283392 Student’s Marks and grades. Over 2 Lakhs students results was in my hand and if the same access was given to some malicious hacker I bet you he would have changed all the grades.

At this point I feel sorry for VTU. Never expected this would be so easy to Hack. All I needed was patience, basics and few sleepless nights.

Lets just say VTU is careless at everything. When it comes to Syllabus, Exams, Evaluation, and the object of Re-Evaluation is only purpose of Making money.

I literally could hear my heart pounding. I realized I had gone too far by literally having access to all students grades.

What do you guys think I should have doing next? Tell VTU that your server was hacked by a teenage boy? He did something malicious and dropped the whole databases?

The problem was I did know not how to contact officials. However contacted VTU twice by their Helpline number but they were in a hurry to just hang the call. They had no patience to listen to me. Here are the numbers I have tried to call provided in their website. 0831-2498139 and 0831-2498138

Here’s what I decided to do.

I was able to successfully exploit the server only because of xp_cmd shell so I manually turned off the xp_cmd shell and also made sure that none of the hackers can again exploit that system again.

So as xp_cmd shell has been disabled. (No hackers can exploit the server as the same way I did).<– I just Hope so. 😛

At this point I do really feel sorry for VTU. I never expected this was so easy or Let us say that they are very careless at everything.

The Administrator password had been reset by the VTU officials within few hours of compromising the system.

Now by doing this Lets just say VTU did realize that their server Administrator password was changed and Hacked

Not only I compromised the system in another way around I did help VTU to secure their vulnerable server. 😛

After Disabling the xp_cmd shell I lost the connection.

NOTE: I Officially lost all access to the server and also the application is not vulnerable to SQL injections. After few days Event Validation was enabled making sure that other malicious hacker could not inject anything.

POC

BEFORE

mozilla

AFTER

mozilla1

 

Thanks to my friend Rohan, who always got my back making sure that I don’t make stupid decision and land up in trouble.

I DID NOT MODIFY,ALTER, DELETE ANY FILES BELONGING TO THEIR SERVER.

People say that what I did was wrong and I should be ashamed of what I did but after what have been through, 
I have no regrets of what I have done.

Disclaimer:
– Before making any attack, do get the party’s consent.
– All this are for learning.
– Do not try in the public.
– I got nothing to do if you are in any legal issues.

The information contained in these web pages is, to the best of our knowledge, true and accurate at the time of publication, and is solely for informational purposes.

Pantomath accepts no liability for any loss or damage how so ever arising as a result of use of or reliance on this information, whether authorized or not.

Pantomath is not responsible for the contents of personal and peripheral web pages, nor for the accuracy or integrity of material accessed via links from these pages. Any comments on these pages should be directed to the post author.

Reproduction, distribution, republication, and/or transmission of material contained within this website are prohibited unless the prior written permission of Pantomath has been obtained.

40 COMMENTS

  1. Wow. This clearly says how careless is VTU. At least by now hope they will secure the servers. Well done Jay Kumar Ryan.

  2. I feel that is among the so much vital info for me. And i’m happy studying your article. However wanna statement on some general things, The website taste is wonderful, the articles is in point of fact nice : D. Just right activity, cheers

    • Many users ask me the one same question again and again. “how do you become a hacker, please teach me.” It was embarrassing at first, but then I realized people had a willingness to learn about cyber security and ethical hacking. Learn Coding first

  3. At First I though you have Just kidding. But Later looking at the Database of The VTU Results. I think this article is genuine. Do you have still Access bro? I do Understand that the post is Just few things what you had done on the server. Please reply to my mail I have more news about VTU which would help you.

  4. Shisya Sisya. Yeno maga namge helle ella. That’s why I don’t trust silent people like you. Silent agi yen yeno madthaidiya. Nam marks swalpa change madu maga. Same college same class. Asthu madalva.

  5. Thanks for some other excellent post. The place else could anybody get that type of info in such an ideal approach of writing? I’ve a presentation next week, and I’m on the search for such info.

  6. Hi, everyone nice try but I want to say something as I am associated Professor, VTU has two documentry record of your mark card, first is primary database and secondary database, VTU admin is always print secondary database as resullt which is duplicate of primary database…So if u modify the secondary database there will be no change in primary database as it is safe somewhere and finally your sem mark card is directly printed from primary database…
    Thats means never it is possible to modify your marks in VTU mark card
    I am glad by seeing your effort but feel sorry for you..
    .

    • Hi, I’m glad to hear that from you sir. I knew this thing when our college received hard copy of marks sheet.
      But where will the students look for their results on you’re website? on the primary database? or on through the secondary database?.
      If my marks has been change by any hacker before results are published on website through you’re primary database not on secondary database. as per the view of student, The student might think the marks are accurate and attend or discontinue to go to college.
      I request you to make sure that the marks published on the website is accurate and cannot be tampered in any way. Thank you

      • This post written on the site is just an 30% of how i tried to access windows server. There were many complicated steps and exploits used to get the Raw password of Server.I and my friend gone through many different challenges and exploit codes.
        I wanted to make this post less technical so that every student can understand easily.
        The results which are published recently on This site is Vulnerable too. I don’t care about the marks printed on my marks card sheet. we want accurate results on you’re site if you cannot do so. Don’t publish results on site send them directly to colleges.

Leave a Reply