Securing Data: How I Quickly Accessed 3000 Student Records in under 5 Minutes
Hi everyone!
Introduction
In the world of cybersecurity, the ability to swiftly assess vulnerabilities is a valuable skill. I was presented with a unique challenge — to perform a penetration test on a university’s digital infrastructure. Knowing the sheer scale of such institutions, I embarked on a comprehensive reconnaissance mission. For the sake of confidentiality, I’ll refer to this university as “www.target.com."
HAPPYHACKING
Commands I used:
nmap -sV -Pn -O 8.8.8.0/24
subfinder *.target.com >> Starget.txt
Gobuster dir -u https://target.com -w /usr/share/wordlists/common.txt
paramspider -d www.target.com >> Ptarget.txt
Then I searched for live domains using httpx.
cat Starget.txt | httpx -status-code
cat Starget.txt | httpx >> 1live.txt
cat Ptarget.txt | httpx >> 2live.txt
Found over 3000 live domains. Since my scope of work was (is — I am currently working on this), I wrote down a bunch of notes and highlighted interesting domains.
I went to the login page, logged in, and started analyzing the requests made to the server.
Pro tip: Never underestimate the “automatic” requests made to the server. It’s a gold mine literally. Sometimes they refer to other files and other path names, and those will lead you to more files and more paths in the server!!!
I checked the first request to /adminb.php:
WHAT A JUICY FILE!
Inside of the burp file I searched for “user”, “api”, “admin”, “server”, “password”, “token”, etc. Why?
To find potential files and paths
While searching for “admin”
I found:
Good endpoints that could potentially lead to vulnerabilities=exploits.
Then I saw:
Alright cool, what is this? I thought to myself.
Open google an incognito window, and searched for it:
AND IT DOWNLOADED:
A database of over 3000 students!
Encrypted PW, Full name, full address, phone number, Drivers license number, birth date. All were compromised in 5 minutes. This was open for everyone to download, no auth needed.
I reached out to the security manager, and they deleted it immediately. Apparently, they had reached out to the web devs, and did not remember why they were using the file in the first place.
I will keep y’all posted on what else I can find in this engagement.
Thanks for reading. Send me a LinkedIn request! www.linkedin.com/in/facufernandez