Why and how did the 16-year-old hack the website of Trivi?

I was looking at social media posts, I saw trolling about the new online service introduced by the Examination Control Office on the website. There was trolling about page design, spelling mistakes and other things. I didn't know about the website before that. After I visited the website, I saw that the letters were wrongly written, the buttons were not aligned.

When looking at the page, it seemed like there was a bug (weakness) or a glitch at first. It was showing an error when trying to login. After seeing that, I thought that there is a 'loophole' to get access to this site. I thought I should check whether the site with such a glitch is secure or not.

I am also a student learning security testing, what goes into testing it and what I thought. While doing the test, I found a 'loophole' on the website of the university, which was also the end point. It had a page where the admin could get access. And I accessed admin from that page.

Generally speaking, a cross site scripting bug was found while creating an account on the admin login page of Trivi. There was no less validation in it. Authorization was not checked. When trying to login in one place, the code was not developed properly.

So there was an error page showing. While analyzing the error of that code, some indication of the admin page (server access point) was found from it. With the help of the same sign, I tried to login and the login was done. Then make all subsites redirect to your Facebook page through C-Panel. Finally, redirect the main page to your Facebook account.

As soon as everyone hears the word hacking, they think that it is a threat. I used to feel the same when I was little. When I was studying in class eight, WiFi was installed in the school. At that time, I used to go to see the password of saved WiFi. Apart from that, when I was a child, when my mobile broke or I forgot my password, I was told to fix it in the village. From that, I became interested in technology and computers.

My first interest in hacking came from Freefire when I was studying in class 10. It is not exactly called hacking in Freefire, it is called modification. However, playing freefire from mod apk gives the feeling of hacking. That got me interested in hacking.

Leaving that aside, I started learning how to modify mod apks myself. While learning it, it was only used to change strings from Java programming language. I used to change the string and put my name in mod apk and make it like mine.

That got me interested in coding. I started learning coding from Python. Later, other videos related to hacking started appearing on YouTube. I learned from that too. After completing 10th standard, I came to Kathmandu and got access to the internet and learned more.

I am currently studying science in class 12 in CCRC. Hacking and cyber security are different topics. Although I have taken computer science as an optional subject in 12th, cyber security is not taught in it.

Since I have always been interested, I developed hacking skills through self-study online. Earlier, when I was self-studying, I used to create a virtual machine on my own system and check it. While studying myself, I was testing it on various websites to try to use it in real life.

The access I got is C-Panel's system command access. It is called command injection. The command I run from here runs in the system. I open the command prompt on my computer and my command runs on my system. Similarly, this is a bug where I can run the command from the client side of the website and get the response from there.

The reason for hacking TU's site!

I also know that hacking is illegal. Leaking or hacking any data in an unsafe manner is a bad thing. But the thing is, I am a student who is learning. After going to the website and accessing the data, I wanted to report.

No login form is provided to report a bug. Social media account is also not maintained, from where we can report bugs. After not finding any place to report the bug, I also tried to contact the number given there, but no response came.

After doing nothing I could not report a bug so I thought what should I do. It seemed that if the site was left like that, another hacker could leak the data. So I made the site redirect to my Facebook account to show that I hacked it. If that happened, I thought that the staff of the examination control office would see me directly and understand the problem and solve it.

After I got access to the official site of TU, ​​I could also redirect to the fake ID without redirecting to my own account. I could redirect to a phishing link or a site that needs to increase visitors. When this happened, my identity would not come out. They were confused as to who to contact to get the site back.

When I keep my official Facebook account, TU people can contact me directly. I have also put my email. If you contact me by official email, I will give you all the information. If I had intended to leak data, I could have done so. But that is a bad thing. So I have my official account.

Hacking is not necessarily bad. Hacking is a skill. If it is used incorrectly, it is called a black hat hacker. If the skill is used correctly, it is considered a white hat.

I haven't leaked any data yet. No file removal or modification has been done. I just redirected it to my account so I could report a bug. Hacking is legally wrong. However, I did not do it wrongly.

Not only this website, but I have a few other websites that have these security vulnerabilities. However, I am not trying to get access to that site. There are many ways to leak data. However, I have gained access by reaching the main administrator of the website. Before that I had hacked my own college website. After finding a bug in that too, I took admin access.

Negligence on government sites

Most government websites have an insecure design. As proper validation is not done. The issues of giving access to the caucus on the website, who can see what files are not properly managed.

Some code that should be run on the server site is being run on the client side. When such code is visible, more information can be obtained from it. When designing the site, the response between the server and the user must go to the hidden form. However, such responses are not encrypted on government sites.

Looking at the government website, it seems that the person who created it also has a weakness. When someone develops a website, he has to do all kinds of security testing beforehand. They made it public without testing. Anyone can get developer access. He thinks it is a weakness to keep his access user.

Not taking care of these things has created a risk in the government website. Rather than hurrying to launch the website quickly, the site should be live only after meeting all the standards to provide quality service in the right way.

No such option is given to report bugs on official sites. I also think that it should be given.

Now I am studying in 12th standard. After completing Plus Two, I am thinking of studying cyber security as a bachelor's subject. If that doesn't happen, I'll go for web development. I learned hacking by passion. I myself am a full stack developer.

I have good knowledge of PHP, Database, Python Django. I can make a website completely by myself. After plus two, I can do freelancing to earn income in this field. I can also do security testing in a legal way.

I am participating in various programs that interest me and are related to cyber security. I am going to the CTF program organized by Pentester Nepal. I am participating in the coding program.

Many people think that hacking is a bad thing. Many are looking at it as theft of digital assets. My chosen field of hacking is white hat hacking. In this I have adopted the code of conduct and used my skills.

In the matter of TU, ​​I tried to report it properly, but it was not so, so I redirected it to my own Facebook account. There is no wrong intention in it. You can understand the detailed reason by contacting me. For that, I have put an email in my Facebook profile and I don't think that what I have done is illegal.

Last updated: Jan 18, 2080 11:39


The above article/images/excerpt related to are either copyright property of or respective owners.

Rabins Sharma Lamichhane

Rabins Sharma Lamichhane is senior ICT professional who talks about #it, #cloud, #servers, #software, and #innovation. Rabins is also the first initiator of Digital Nepal. Facebook: rabinsxp Instagram: rabinsxp

Leave a Reply

Your email address will not be published. Required fields are marked *