This article is going to be about how I hacked into one of India’s most famous and costly international schools. For certain reasons, I won’t be able to mention the organisation’s name(they are very rich and might sue me and also have extremely rich clients) and will call it redacted.edu. I was really bored and was too lazy to hunt bugs properly and decided to do some casual testing on a few rich schools that were on my list. I didn’t find anything interesting on other targets and finally landed at redacted.edu.
There were no interesting subdomains and no internal servers found from Shodan on Censys. Finally, I decided to do some GitHub recon.
And found a few interesting things in the code section. These were just emails of what looked like students([Student].[IDNumber]@REDACETD.edu). Along with this were their phone numbers, birthdays and class details and their phone numbers.
I thought this would be enough to report but I wanted to dig in more. I decided to look at the main repository and what I found was unbelievable. It was the source code of the entire website.
I couldn’t believe it as this almost never happens. I even had the mysql credentials from the connect.php file.
But the funny thing was that this wasn’t for the main website. I looked into a lot of .php and .html files to see if the link was mentioned maybe in the meta tag but this whole time the .htaccess file was right in front of me. I opened the file and saw that this was for a completely different website which was also the organisation’s internal website. We will call this REDACTEDINT.com.
The first thing the site showed me was a login page.
I entered the wrong credentials and intercepted the response which had the ‘status’ value set to 0 and I changed it to 1. This didn’t help me as a token for the valid credentials wasn’t returned. Now I tried to experiment with the forgot password functionality.
1)Used a wrong email and changed response’s status value to 1
2)Got redirected to the OTP verification page, entered 1234 and changed the response to 1
3)Finally reached https://REDACTEDINT.com/forgot-change-password.php?email=undefined
I think everyone can spot the vulnerability now(IDOR: Insecure Direct Object References), all I did was go to the repository, choose the email of a student whose birth year was 2003 or earlier as they would be pass outs and so that I wouldn’t be tampering with an existing user’s account. I then replaced the email with undefined and was able to reset the password for the user, the account I used also had elevated access on the portal which allowed me to access the details of all the current students that included their email IDs, phone numbers, birthdays, access level information, class details and more.
Reported:- 17 October 2021
Acknowledged:- 19 October 2021
Patched:- 21 October 2021
Sometimes it’s good to let go and test on targets that don’t have a bug bounty program, but everything you can learn from such targets is still priceless.
If you enjoyed this write-up, feel free to click the clap button and more like this click on the follow button.