Kicked Around: Chapter 1: A New Beginning
I never dream.
My dreams are nightmares.
When I dream, I’m always fighting.
I’m always dying.
Not anymore,
Not today.
I am winning.
No more nightmares.
Goodbye darkness, my old friend.
"Today is going to be the start of a new beginning."
It was very early in the morning on a Sunday and emotions were mixed. Erik had just awoken from a short night’s sleep, and now he was filled with excitement for his new power.
"I’m awake because of you." 4:05 AM. Press return. Results: It fucking worked..."
Erik was reviewing the log file for a script that he wrote just hours ago. The script completed and had successfully pulled all of the grades for every graduating class since the system had been implemented along with the final grades for the semester for any current student. Erik scanned through several of the grades, just to see how his fellow students fared in their final semesters.
Erik had been at it since 10 PM last night when he made his initial discovery.
This particular episode started while watching an old sci-fi classic. Erik was in his bedroom, drowsily watching as the main character was given a choice. That choice was leading the character into a brave new world where he was forced to question everything, including what was real and what was a dream. Just at the character was waking up in the real world, Erik’s phone sounded with an alert of a new email from Erik’s High School, containing his final grades for the year. Erik turned off the TV and clicked the link for his grades. The action took Erik down a rabbit hole of discovery for the rest of the night.
The email that Erik received was from "Streamer High Staff" and had the subject "Semester Final Grades" along with a canned message in the body. In the body of the email, there was a web link that contained Erik’s grades for the semester. This was typical. Erik would receive a similar email from the school at the end of each semester that Erik could use to find out his grades. The web link sent to him had a name-value pair alphanumeric parameter (letters and numbers) at the end of it. The value was 32 characters in length.
"Looks like a hash value," Erik thought when he was reviewing his grades in the browser.
A cryptographic hash is a "one-way" algorithm. It’s used in modern computing as a means to store passwords securely. The concept around a "hash" is you can hash a value, but you are not supposed to be able "un-hash" the hash. This way, passwords can be stored on a system without anyone being able to read them easily.
Erik decided to view the link in a full desktop browser, so he opened his laptop. The screen turned on to the state it was in before Erik last closed the lid to his laptop. There was a web browser window opened to the "Guns A-Blazing" message board on a thread with the title "Team Onyx wins Annual Vegas Open!". Erik opened a new browser tab and navigated to the link in his email. Curious, he opened up another new browser window and researched weaknesses in cryptographic hashes. A very popular algorithm known as "MD5" was used widely amongst developers for many years and was now susceptible to a "brute force attack." An attacker would use what is called a "rainbow table" to check this hash against a database of hashes to find a match. The database would contain both the "plaintext" value (the "pre-hashed" value) and the hashed value. This comparison allowed Erik to find out that the plaintext of this MD5 hash value was "Thisisabigpassword123!655321."
"Wow," Erik thought. "That number at the end looks familiar."
Erik reached into his back pocket and pulled out his wallet. Erik found his student ID and looked at his student ID number on the card: 655321.
"That’s interesting," he thought with a smile creeping onto his face.
The value "Thisisabigpassword123!" appeared to be a "salt," a means of adding randomness when hashing a value. However, this salt didn’t appear to be random at all.
"I wonder if that’s the same salt that they are using for everyone," he thought.
"Let’s try this," Erik said as he incremented his student ID number by 1, making it 655322. Then, Erik hashed the new ID number with part of the string value he found: "Thisisabigpassword123!655322."
Erik took the resulting MD5 hash value and replaced the hash value in the URL with this new hash value. Erik opened a web browser and sent the request. The response was a web page with the grades for "Jeffery Mertons." Jeffery was in Erik’s grade. Erik didn’t know him personally, but he recognized the name because it was the next student that was shown after Erik in the class yearbook every year. Erik’s smile got wider.
With this knowledge, Erik was even more curious, so he wrote a shell script that submitted requests to the URL with a new ID starting at 1 and ending at 1 million. The ID would be appended to the same salted value he found and then hashed using the MD5 algorithm. The script made a GET request to the web server and responded with the final grades of the corresponding student for the current semester. The script saved the grades to an HTML file (a web page file) with the ID appended and the name in the title tag of the page, which was conveniently labeled with the name of the student. The file looked like this "ID - Name.html." When opening these files, they would open in any browser to view.
Erik starts up his script.
'This is probably going to take a while,' he thought.
Erik looked at the time; it was midnight. Erik was exhausted, so he jumped in his bed and fell asleep. He woke up around 4 AM and quickly went to the laptop to view the results.
Reviewing the logs, Erik noticed that there were several blank records mostly from form ID 1 to 100000. For those records, there were no grades.
'The programmer probably started the IDs at 100000,' Erik thought.
This is common in web applications, because if you see an ID start with number 1, people may try what Erik just did.
'Security through obscurity,' Erik thought. "Hey, I guess it worked for ten years." Until today.
Erik clicked through several of the grades. Then, he started doing searches by name to see what some individual students grades were. This continued for about 2 hours, checking the grades of several students who he knew to be braggers of their academic accomplishments. Strangely, he found that some weren't the straight-A students that they postured themselves to be in front of the rest of the students. In turn, he also looked at grades of some students that had bad reputations. Most of these students had grades that matched their poor image at the school. But surprisingly, he found students that were "known" for their non-school extra-curricular activities that were far from academic, yet these students had better grades than some of the students that 'acted like they were smart.'
Eventually, Erik became bored and tried something else. Erik removed the name-value pair of the URL and submitted a new request in the web browser. The response showed a login page.
'I wonder,' Erik thought.
Erik entered "admin" in the username field, and the salt he found in the password field "Thisisabigpassword123!". The site responded with "Login success" along with a search page for every student who ever went to Streamer High.
"Hole. ly. shit...," Erik said slowly under his breath.
Erik just hacked into the server that stored all the grades. He clicked the first name for "Aaron Adams." There were Aaron’s final grades, with the ability to edit them.
The site had everything: all grades, personal information, address information, phone numbers, parent contacts, emergency contacts, disciplinary action, everything. It was the school’s database for storing all the permanent records of all the students that had ever attended Streamer High School.
Erik navigated to his own page on the website. In the form, there was a button to "Reset Student Grade Link." Erik assumed this was to change the URL of the record's external grade link. Erik continued searching the site for other actions that were available. In the "Users" section, Erik found that he could reset passwords for all the users in the application. All of the administrative staff and teachers each had their own logins, including the principal. Erik could change the principal’s access to the site to a regular teacher if he wanted to. The power Erik felt was amazing. Thinking about how Erik was going to wield this new weapon, his mind floods with anger and hatred towards one individual. Jacob.
The bad blood caused by years of conflict was now coursing through Erik. Erik searches for Jacob Schmidt.
"Oh Jacob, it’s too bad you failed shop," Erik laughed to himself.
Erik threw caution to the wind as he updates Jacob’s grade to an "F" for Industrial Arts. Erik didn’t consider the consequences. In this moment, he felt vengeful and righteous.
"Poor Jacob. The fucking idiot couldn’t make a lamp. Maybe, just maybe, you’ll stop fucking with people," Erik says to himself.
In Erik’s mind, Jacob was a total asshole. He was on the Streamer High School Varsity Football team. Jacob was twice the size of an average Streamer High Student and he loved to use his size to his advantage, bullying those smaller than him. Jacob was built like a brick shithouse with a personality that matched the contents of the structure. Jacob had tormented Erik since Junior High. Jacob's harassment became worse over time. In Erik's Sophomore year of High School, the bullying was so severe that Erik ditched a class he had with Jacob for the entire year just to stay away from Jacob. The school called Erik and his mom in for a conference, trying to determine why Erik’s straight-A record had this blemish. Erik didn’t dare say who he had a problem with, but Erik did admit that he had issues with a student in the class and it was affecting him personally. In the end, the school agreed to overwrite the grade if Erik took the class over summer school, which he did. The school updated the grade, and the F was changed to a B.
And then, there was senior prom. It was just weeks ago, but Erik was doing all he could to try and forget it. Up until that point, he had never been part of something so traumatic. What Jacob did was unforgivable in Erik’s mind. He crossed a line that couldn’t be overlooked. Erik couldn’t wait for the opportunity to exact revenge in a manner that would cause both shame and embarrassment, the way that Erik felt on a day that should have been a happy memory. Erik blocked out the recalling memory, as he focused on his actions here and now.
Erik continues to reflect on the change in grade. What if Jacob was really held back a grade? Then he would continue to torment others that are now even smaller than Jacob, given that Jacob will be a year older and even bigger than the new incoming students at Streamer High. The more things change, the more they stay the same. No, Jacob’s parents will force him to take summer school so that he can graduate and move on to the next stage of his life. Or, maybe, Jacob will have to take over Erik’s old job and flip burgers for the rest of his life while people from school point and laugh at him.
"No," Erik thinks. "He’ll take this up with the teacher, who will tell the principal, and the principal will review the submitted grades and see that someone used the admin account to update Jacob’s grade. And then, what will they do? Who the fuck cares? I’ll be long gone by then."
This action was rather brazen of Erik. Erik was very reserved in High school. He was mostly a straight A student with the occasional B, but he had only one lasting blemish on his record for getting a C in Gym.
"Fucking Soban," Erik would say to himself whenever he thought about his gym teacher. "I did the fucking pull-up. Does it really matter that I can only do 1?"