How I Hacked My Uni's Internship Portal

Warning: This is low-key illegal. I’m very fortunate that the parties involved took it in a good manner and didn’t suspend me. Note to future self: Don’t do stupid shit.

Note to the reader: I use College and University interchangably because my College is almost about to be a Uni soon, so yeah.

TL;DR at the bottom

Well, this is going to be a looong and glorious post. This is the story of how a young man became the most powerful person on his campus for around 8 hours. So sit back, relax and enjoy the long read (or don’t, it’s really up to you).

It all started on 7^th February at 10:20pm when I should have been studying for my exams on Tuesday. I got a mail from one of my professors saying that one of the internships on the internship portal was open only for another day and that we should apply for it soon if we were interested. I didn’t really check out the internship before and thought to check it now. Here’s something you should know about our internship portal: It’s a locally hosted (i.e. you can access it only on campus WiFi) website made by a few students in their senior year as one of their college projects. I logged in with my credentials (My roll number and their default password which I couldn’t even change) and I clicked on the internship.

As I started to go through the internship, I realized one very blatant thing. You know the lock symbol at the left hand side of your address bar that is usually green? Well, it was red. For those of you who don’t know what it signifies, it means that the connection isn’t secure and that someone could figure out what I’m doing on the website if they wanted to. I could understand why it was red, though. The website wasn’t open to the internet. It was only available on our campus using only our campus WiFi. The probability that someone would listen to others signing up for internships was incredibly low and the effort spent would incredibly useless for the “hacker”. This lock doesn’t have much to do with what I did, but it’s the starting point of this blog post.

The moment I noticed that the website wasn’t secure, I thought of other areas where the website might also not be secure. My first thought went to unsanitized inputs of which SQL Injections are super famous. It’s essentially running something like SELECT * FROM students;-- in a place where I can send text across (like a form) and the server executes it because it thinks that this is a valid SQL statement. This would give me information about the contents about a table called students. If I knew the admin table name, I could get a list of admin users. However, much to my dismay, the developers of this website had sanitized their inputs and SQL Injections didn’t work.

It was then I noticed at the bottom of each page in the footer: Developed with ❤️ by ******* (name censored for obvious reasons). Clicking on the name led me to a Github organization page which had only one repository, the organization’s github.io page. Going through that page gave me nothing as they had no info on it. I went back to the Github organization page and looked at the members of the organization who turned out to be two senior students, one whom I knew well. I clicked on their profile and went through their recent repositories and what I saw next blew my mind 🤯. After 10-ish repositories, I saw the Internship Portal’s full code in a repository. This now meant I knew how the backend of the internship portal worked; this knowledge was power. If I could figure out a flaw in the code, I could possibly try to exploit it.

A very blantantly obvious piece of information I was able to notice was that the db.sqlite3 was uploaded to Github and that the backend of the website was built using Django. The db.sqlite3 is a file that should have never been uploaded to Github because that contains all the tables and values, something that no one should see. I downloaded the file and opened it with a sqlite3 viewer and in front of me was data of all users, admins and passwords (encrypted, of course).

Fig 1. All the tables that existed in their database

Fig 2. The auth_user table

Remember at the beginning when I mentioned that users couldn’t change their passwords? I checked the code and saw that there was no code to let people change their password, that meant all the professors’ passwords were also default. I took the first professor’s name on the list and got their username and tried logging in with the default password.

It didn’t work 🙁. I then went back to the repository and painstakingly went through the functions in views.py which took me around 45-ish minutes leading me to conclude nothing by 12pm. I then decided to go through the other files and I found something major after 5 minutes in a file called urls.py:

# user = User.objects.create_user('*RollNumber*',password='A DEFAULT PASSWORD THAT I'M NOT TYPING HERE')
# user.first_name="***"
# user.last_name="*******"
# user.email="*************@*******.***"
# user.groups.add(students)
# user.profile.leisureTime="Peaks"
# user.profile.location="Student"
# user.save()

This was commented code for entering a default user and their credentials. My default password and this default password were off by one character. Hmm…. this was interesting. Git Blame showed that this code was edited a year ago and my account was made a few months ago. That meant all the old accounts still had this password unless they could change it somehow, which they couldn’t because going through the commit history of the files showed no results for any code related to changing a password. I now tried to log in with the professor’s username and the old default password.

I was in. I let out a small sigh of satisfaction (more like I yelled like crazy). I instantly logged out because Django web servers remember IP Addresses and I didn’t want any trace back to my IP Address (It’s not that hard to change your IP Address, but still). I now thought about going to the library and using the computers there. It’s open until 1am and I had 45-ish minutes to do whatever I wanted to do if I wanted to do whatever I wanted to do (that’s a beautiful sentence). I speed walk to the library and don’t sign in claiming to take only 5 minutes. I couldn’t leave any trace.

I go to the E-Library and there was only one student there. I login to a guest account on the computer and open the internship portal and login to the professor’s account. There, I had an option of creating an internship which I clicked on. It was here I had an epiphany. Two words: Rick Roll. Yes. I wanted to Rick Roll anyone who checked out the internship. If you don’t know what a Rick Roll is, according to Wikipedia it's a prank and an Internet meme involving an unexpected appearance of the music video for the 1987 Rick Astley song "Never Gonna Give You Up". The meme is a type of bait and switch using a disguised hyperlink that leads to the music video. The victims, believing that they are accessing some unrelated material, are said to have been rickrolled. This was going to piss so many people off. :evil laugh:

I created a basic internship that was for Computer Science students titled Summer Internship at URA (University of Rick Astley). The description: URA is a prestigious university that focuses on cutting-edge research in the fields of AI, ML, NLP and VR. For more details, please watch this link: https://www.youtube.com/watch?v=dQw4w9WgXcQ. This was a high-effort Rick Roll because the Rickrollee had to copy the link and paste it to get Rick Rolled. 👌.

It was the moment of truth. I clicked on the create internship button and watched … nothing happen. I clicked on the create internship button again and watched nothing happen, again. This was truly baffling until it dawned on me. Only the admin could create internships. The professors merely have accounts that don’t have the functionality of creating internships and instead use the portal to view internships/applications. It was only the admin who could create internships at the request of professors. This was going to be difficult.

It was touching 12:45 and the librarian had given me a 15-minutes-left warning. I decided to log out and go back to my room to work from there. I go back and the first thing I do is change my MAC address and my IP Address on my laptop. I had thought about getting into the admin account whilst walking back. As per Fig 2., I had the admin username (the red box) (and no, it wasn’t admin. It was a proper username that I couldn’t have guessed). I now needed the password. What I did have was the encrypted password which was something like pbkdf2_sha256$*****$*********$*****************. A quick search online showed that Django stores it passwords like <algorithm>$<iterations>$<salt>$<hash>. All I needed was a way to decrypt this cryptic password. The question was how.

Enter hashcat, a password recovery tool. Hashcat is a beautiful and very processor intensive program that can use a variety of techniques to break an encrypted password. If I were to run it on my laptop, it would take months for it to decrypt a password. It would possibly take a few days on my Desktop (which has a GTX 1070). But … better yet, it could possibly take a few hours on … the college’s supercomputer. The supercomputer has 8 of the most powerful commericially available GPUs on the planet and those could probably finish the task much faster than my Desktop.

I log in to the supercomputer and run a docker image that has hashcat with the right CUDA drivers for the GPU. I ran the command hashcat --opencl-devices 2 --attack-mode 3 --hash-type 10000 --outfile crackedPassword encryptedPasswordFile. This ran hashcat on the 8 GPUs.

Fig 3. The hashcat program going through passwords

Fig 4. nvidia-smi showing that hashcat was monstrously eating up the power of 8 GPUs

Unfortunately, I don’t have the screenshot of the final screen where hashcat says that the status is cracked, but I provide a slightly less cool alternative at the end of the post.

Hashcat took about an hour to run and after an intense hour of not knowing what was going to happen, I saw the status. It said cracked. I could feel electricity through my fingers as I proceeded to type out the command that displays the content of the file which had the decrpyted password. However,I felt all the electricity drain when I saw what the password was. It was the default password ^{MASSIVE FACEPALMTM}. I felt a lot of things in that moment and confusion was probably what I felt the most. But my feelings didn’t matter. The password did.

I typed the admin usernamme. I typed the admin password. I 👏 Was 👏 In 👏. THE SWEET FEELING OF BECOMING A HACKER HIT ME.

Fig 5. HackerIceCereal

Now, for the moment of truth. I created a Summer Internship at URA with the description as URA is a prestigious institution that primarily works on cutting edge reseaarch in the field of AI, ML, NLP and VR. The details of the internship are provided in the following video: https://www.youtube.com/watch?v=dQw4w9WgXcQ.

Fig 6. The admin interface

I opened my phone and checked the internships on the internship portal.

Fig 7 Left. 8 Right. (Left) The front page of the internships portal. Notice the red square. (Right) The actual internship page.

The time was 3am and I was internally yelling. After calming down I decided to sleep, happy that I had something worthy of a blog post to write about.

I woke up at 10:30am the next day to a few messages on a Whatsapp group and an email. The email was regarding an internship— I freaked out. I opened the email and thankfully it was about the deadline of another internship. However, I should have anticipated what was to happen next. Many, many students opened the portal that very instant and found another internship at the bottom: Summer Internship at URA. And what ensued was many such messages as the one below:

Fig 9. One of many Whatsapp groups finding out about the Summer Internship at URA. I acted innocent, of course.

By 12:30pm, a lot of people on my campus knew about the Rickroll. The news eventually spread to the admin (the senior year student) and by 1pm it was down 😔. It was good while it lasted.

I went and told the professor-in-charge about what I did later that week and they didn’t seem mad; in fact, it look liked they were trying to hide a smile (but that could be my imagination). The important thing to note here is that I didn’t get suspended I told the prof-in-charge and they made sure to make repository private and to change the passwords. Alas, all bad things must come to good end if you’re a White Hat (I don’t know if this qualifies me, but let’s just assume I am one for now).

And this, my friend, is the humble beginnings of Hackerman. Thank you for coming to my TED Talk^(r).

TL;DR I got into my Uni’s internship portal, created an internship, rick-rolled everyone. High-Effort Memes

PostScript: About the I don't have the screenshot of the final screen where hashcat says that the status is cracked, but I provide a slightly less cool alternative at the end of the post., this is a screenshot of my Desktop running Hashcat with a mask so that you can actually believe me. -_-

Fig 10. Hashacat showing the cracked status on the hash provided (run on my Desktop)