Cracking the AAST !:-@

AAST, well well well...
There's lots of stuff to say about AAST-"Arab Academy for Science and Technology"

This little post is just talking about the damn stupid administration!!
and to prove some stupidity in the AAST system !

Let's start by the weak username/password combinations, who has guessed "asd:asd" ?!, yup it's a root user password on their server !:-)

I was just trying to SSH their server and attempted to login using the "asd:asd" combo, it just worked !.

ofcourse I wasn't attempting to steal or do any harm, but who keeps their servers wide open that way ?, unless you're an ignorant or something !

Another thing was the stupid FTP users !
try FTPing aast.edu using "toto:toto"
Who the hell is toto ? and why is a person called toto supposed to get FTP access to the server ?!?! lol :-D

If you also try to FTP aastmtic.aast.edu using anonymous login, You'll get a fantastic reward, a file called "deployment_kit.zip", you must check that out !, it logs in to their sever, and manipulates student data and similar administrative tasks, the only problem is that you must be running the app while connected inside their network, being the AAST Alex or Cairo branch, i'm not sure ! you can test that yourself !.

Sometimes you can also get while FTPing aastmtic.aast.edu is a google earth photo of Mecca !:-), i think the webmaster is playing around or something, is he being paid to post photos of Mekka ? , the page has been under construction for about... since i joined AAST, about 3 years!, go to work you lazy bastard !

Now lets be so damn secure about the registration process !!, let's use javascript to disable some stupid textboxes so the studen't wont input how many hours he registered !, WAKE UP, IT'S JAVASCRIPT you moron !!.
Java script runs on the end-user's side , which is completely controllable by any little kid that's learning ABC !

Hey , disabling a textbox is not secure enough , let's put a Pin code and store it in a flat text file on each computer's desktop in the AAST !.. what do they mean ?!, are we stupid animals not noticing what the hell this pin code is for ?!

well if that's not enough, the damn smart administrator is thinking about being so damn secure, so he checks if your ip address is from inside their network or not, but just on the first page that asks for the pin code ! well, I just tried to open any other page in the registration process and it opens up as if i own the god damn university !, removing subjects, doing whatever I want !.

Well, I've notified the system admin, he did a great job , just deleted the files in the registration folder for a while, then put them back later, he was thinking maybe people would've forgotten by then !:-D

I've also discovered really stupid stuff, the webmaster was learning how to use PHP or something, there was like a ton of hello world scripts lying everywhere on the server !, the problem that he/she didn't even compile PHP into the server !!

there are like a couple of thousands listed directories available at google using simple keywords, try searching for that in google:
"site:aast.edu intitle:index of"

you'll get all the indexed pages !:-), you'll find lots of pin codes/passwords/ personal photos and stuff !:-)

I've been everywhere on the AAST servers that I can't even remember all of the places i've been !!

I've attached an archive of all the files i've got off their servers, including some important m$ access databases of students/workers data and stuff like that !

please feel free to take this files, and continue the crack I've started !:-)

but please make sure that you're not causing any harm , I've notified the Sys admin of all the mistakes on the server, and it's his/her problem of not taking action !.

I'm posting those files just for educational purposes, and I encourage you to take over what I started, just for knowledge and the hell of it!:-)

Stuff to put in mind that I discovered and wanted you to know:

-SQL injection is available on most of the pages, so put it in mind.

-Google hacking is your best friend while finding stuff on AAST, you can even find *.SQL files and juicy backup files :-)

-There's a MSSQL server now running somewhere and i'm 80% sure it has root access enabled without a password "default installation comes like that", find it !

-There's a M$-acess database with juicy student data, laying somewhere in http://aastmtic.aast.edu !, I've given up finding it ! , maybe someone someday will !:-)

-You can access lots of student data using the registration process pages:
http://aastmtic.aast.edu/ux-registration
I won't spoon feed you , but you'll find something for sure "i've found lost of stuff"


Get the files i got of the AAST servers here:
Download(45Mib)

Use those files and the info I've given you to learn about security of our university :-)

Remember : The main goal behing this project is just to LEARN , without causing any HARM or TROUBLES !!


If you need any help or have got any questions, don't hesitate to contact me !


Enjoy and have fun kids:-)