The story begins during lock down,
I come to my home-town due to nation-wide lock down & soon realize that my fiber connection provided to me by my local cable operator lies dead.
I have no way to get online apart from my phones hot-spot so i call up the cable operator, the cable operator agrees to activate my account but he was taking too much time. I was growing impatient and i began to hack.
First i gathered information at hand. well for starters my ISP uses PPPOE Authentication and the password is same as my username, which means for all users the password is their username. Hence if i know the username of any other active user on the network i can login to my router and change my credentials and get online. This is will be helpful later.
I remember my cable operator stating that one could login to the their online portal to check usage and pay online.
A quick google search lands me on their login page.
Your LOGO Here… this web app is clearly not developed completely, it would barely function & that’s good news.
I try logging in to my account with my PPPOE credentials and i logged into my account. I could now access my usage, pay online & also change my plan.
The status of account says that i am offline well i need to find another account whose status is online, one thing i could do here is brute-force my way in to the portal and if i get a successful login use the same to login through my router that should work right?
well, it might but it will take forever to find a valid login as the usernames are not sequential numbers, these are rather based on customers information. also i have removed my username from the screenshot for obvious reasons.
And therefore i move on to plan-b, identify an easier way to find other customers username.
One place i did find my username was in the invoice section of the web application.
I have an option to print or download my invoice, i click on print and the following page opens.
voilà, my username is mentioned in the invoice.. also the URL of the invoice page seems interesting
where assuming 111111 is my order id,
my very next step was to check if i could access others invoices. so i replaced 111111 with 222222.
And i got this page,
well i didn't loose hope, there still was an option to download invoices.
this allowed me to download the file to the disk, i replaced my id 111111 with 222222 and this time it was different.
There was no authorization check on this specific endpoint & i got this.
I got an empty file though but if i had put a valid invoice id instead of 222222 i would have got a valid file with a username in it.
And i could use that username to login & get unlimited internet. But there's one problem though,
I’m constrained to use whatever internet plan the victim has payed for, I will not be able to switch my plan unless i find a victim who has already subscribed for a better plan than mine. Finding such customer using trial & error takes a really long time, I could have used burp or some python magic to automate this process to download & search through thousands of invoices to find those customers with the best in the class internet plan.
But i had other plans, and by the way the cable guy fixed the internet issues & i was back online. on a 20mbps 100 GB FUP plan.
More about this soon !
Till then Happy Hacking :)