How I hacked an online exam portal and gave my exam from my home?
Ever had a bad exam which you know you could have aced if you gave it from the comforts of your room? or if you were allowed to cheat? ’Cause I have that feeling all the time. There was this exam I recently gave, for the exam we had to go to the centre where the exam was being conducted everyone of us was allotted a PC where the web-page for the exam was already opened up in the browsers. We had to type in our credentials, login and then give our exams.
The exam went just above par, but being a crack head that I am, I couldn’t just be satisfied with that, I got adamant on finding a hack regarding it so as to be able to give the exams without being monitored in any way
The whole idea of giving an exam without being monitored was that I should be able to access the exam portal page. The problem comes down to, how to do it? The first idea was to check if the centre had a wireless access point of its own, so that I could hack into it and then access the exam page. The second idea was to get into some other floor of the building and use a ethernet connection to get inside the network.
But these ideas didn’t pan out, so after few attempts I left it for a few days. A week later I decided to carry out reconnaissance on the official website of the organisation that conducted the exam. I hoped that maybe something will pop-up that would help me out and I guess luck was just with me.
The amazing find
When I started to recon the website I went about it in the following manner
i) I first started with Maltego ( love the graph view ) and got a lot of data from the search and spread the whole graph to make proper sense of it.
ii) Simultaneously I was using dirbuster to find different domains that might be useful or I could use to gain access to the exam page, but there were too many domains so I put that on hold.
iii) Did a whois search to figure out more about the DNS and servers and where they are being hosted. Most of them were hosted by the institution itself inside its main building.
iv) Then I went ahead to find to the subdomains, for this work I prefer these two online websites Find Subdomain and DNS Dumpster , here my eye caught something I didn’t expect. I got a lot of data from both the websites but from DNS Dumpster I got a link resembling something like this particular link “http://www.onlineexam.institution.com ”.
Can’t be this easy
As soon I saw this I was sure that it has to be the website where they conducted the exams, at the same time I was also sure that it would not open in my browser. I was carrying out this recon from my home network. I thought it would ask me to join the institution network or it will ask me for some other kind of authentication, but then the magic happened when I opened the website up in the new tab, the webpage loaded exactly as it was when I was giving the exam. My happiness knew no bound at that point of time. To check if it was really working as it should I entered my login credentials and it displayed me this
And so that’s how I easily found a way to give the exam right from my home, without any need to go to the exam centre again anymore.
The admin of the page must be an idiot to host the exam page online for anyone to login from anywhere and give the exam.
i) The page should have been hosted on the local network so that only once you are inside the network then you can access the page and give your exam
ii) One more level of security should have been added, e.g. the invigilator’s code who is present in the exam hall or something like that so that it can avoid other users who have the login credentials from logging in.
Sometimes such small mistakes that seems unimportant in the beginning can lead to huge problems in the future.
If you enjoyed it please do clap and happy hacking!
Twitter : twitter.com/aditya12anand
LinkedIn : linkedin.com/in/aditya12anand/
E-mail : [email protected]