Hey, I’m Piyush Raj. And that’s it. Let’s start? Yeah, let’s do it.
So, It’s a long-short-kinda-moderate-length’d story when I was doing reconnaissance on our college campus website and someone shouted out a meme about engineer’s day, I ignored it, but something was going.
After jumping around, I found moderate level vulnerabilities, and I was very excited to … okay, okay.
Malformed requests (Period)
It was 2 AM. I got bored after hacking and leaking sensitive student data as I don’t do malicious work other than having fun.
(Yes, it’s *still illegal* but I know silver linings, I guess?)
Another reason to ”get bored” was that I had to make a full Bug Report.
I went out of my little cave to bring something to feed my friends as they were simultaneously busy and hungry watching some “xyz” web series.
Yeah, I haven’t got a team like in The Social Network. ¯_(ツ)_/¯
Moving right along…
In the lift, while going down, something clicked and the aftereffect was clicking on all the floor buttons.
(to stop the lift on the nearest floor, obviously, I didn’t freaked out, really, really, … okay whatever..)
After running into my dorm and into my cave, and obviously after looking at sad faces as I didn’t brought anything, I turned on the laptop, saw the data, and few seconds later, I realized that I’ve chalked out a full plan.
I forgot to tell what happened earlier that night, let’s rollback() !
A boy got beaten up at 12 midnight!
No, I’m not kidding, seriously.
If you don’t know, in most of the colleges in India (I don’t know about foreign colleges), there is a ritual that whoever has a birthday, gets beaten up by their peers. So, most of us try to hide it.
I did it, my brother did it and that’s how pretty much every Indian student does it.
You’re now seeing what clicked in the lift ? (if yes, hi-five!, no, not the buttons)
Yes, I was basically heading over to build a .. a ..
(didn’t thought a kick-ass comma bad-ass name that time so, .. folder name was Project Birth-Day-Reveal-eer, I know, dumb name.)
The Birthday Buster
It was “the thing”, or say “the cool shit” if you want to be in Jobs’ shoes.
After some pre-processing, crunching many data sources I hacked, I started building a custom database.
(yes, Indian colleges don’t think much of security)
After building a whole database containing 1142 students in undergraduate studies, and hundreds of more student of other years as a separate database, I finally started coding.
I’ve to admit, handling
datetime module was fun!
After making a basic CLI (command-line interface), I thought,
“It’s not going to be used, well, because it’s not *the* MIT, it’s just MIT or say happened to be MIT, I don’t know ..”
(Confused? Head over to my blogs. Seriously, you should follow me right away.)
The Telegram Bot Integration
Telegram is widely known and is “the drug for Generation Z”.
Read Telegram API quickly, cooked up a script to communicate through telegram and my back-end CLI.
Basically, I just scripted a telegram bot.
This was the rudimentary piece I finished writing on 9:35 PM or something after getting dinner, while sitting on the mess staircases.
It’s self explanatory so, yeah. that’s it.
Oh I forgot, I’m going to add Natural Language Processing in the next iteration, .. probably.
It was mixed. Really, really mixed.
When I posted it, it initially exploded, everybody was going nuts. It was scattered at every chat group of our college. Some loved it, others were scared and were abusing me. Some loved the way how cleverly I used the data, some didn’t. Some also threatened me.
My application became the epicenter for hours.
But, the important question was,
What was my reaction?
(That’s because I didn’t published the bot publicly, didn’t used any personal data other than DOB (Date of birth) *pretty harmless*.
I didn’t distributed exploit code, nor told about the vulnerability, and I was going to report the bug.)
The Code? All the Technicalities ?
Umm.. yeah, about that ..
Science and memes gel together like ice sticks to tongue. by Piyush Raj
Actually, it’s just two days after Engineer’s Day (exploiting the server),
aaand I haven’t made the Bug Report yet.
As it contains sensitive information, I can’t really publish it. Sorry.
Okay, at least, Skeleton code?
I’ll Github it. Don’t worry. #Hacktoberfest is Coming!
You can phrase it this way,
“This guy don’t want to post the source code, basically he’s a jerk.”
I’ll prefer to state it in this very fashion,
“Be patient, good things take time.”
Choose what suits you.