How I Secured The Indian Army?

Hello, Infosec Community!

I am Guru Prasad Pattanaik, also known online as “TH3N00BH4CK3R.” Today, I want to share an incredible journey into cybersecurity and my contribution to securing one of India’s most esteemed organizations — the Indian Army.

First, let me clarify: I did not hack the Indian Army. Their internal communications and operations are securely managed through an intranet. Instead, I discovered the vulnerability on a Regimental Family Welfare Website maintained by the Regiment itself. Which is technically part of the Indian Army, this website was publicly accessible and was exposing critical data.

Before delving into the details, let me provide some context. I come from a family deeply connected to the ethos of the Indian Army. My father was the first from our native village to serve as a Non-Commissioned Officer (NCO) in the Indian Army. I grew up attending Army Public School, where stories of courage, discipline, and patriotism were a part of everyday life. The officers' inspiring personalities, communication skills, and camaraderie they shared left a lasting impact on me.

From a young age, I dreamed of becoming an officer in the Indian Army. “My ultimate goal was to salute my father in uniform”, continuing a cherished family legacy. To achieve this, I appeared for the National Defence Academy (NDA) and 10+2 Technical Entry Scheme (TES) exams. While I cleared the written tests, I was screened out twice and conferenced out three times during the Services Selection Board (SSB) interviews, exhausting my chances as a school graduate.

Determined not to give up, I planned to pursue graduate-level entries like the Combined Defence Services (CDS) and Air Force Common Admission Test (AFCAT). However, the COVID-19 pandemic disrupted these plans, and I shifted my focus to online learning, enrolling in a Bachelor of Science in Physics program.

During this time, I discovered cybersecurity and bug bounty hunting through YouTube and social media. Though my heart remained with the armed forces, I decided to embrace cybersecurity as an alternative path, hoping to contribute to the nation in a different capacity.

While preparing for SSB interviews, I often referred to official Indian Army websites and credible sources like Wikipedia for information. One day, out of curiosity, I revisited the Regimental Family Welfare Website to verify details about Sword of Honour winners from the Regiment.

To my surprise, the website was running an outdated version of WordPress. I did a quick check using Wappalyzer which revealed an absence of a Content Delivery Network (CDN) or Web Application Firewall (WAF). As a cybersecurity enthusiast, I saw this as an opportunity to test my skills.

Using Burp Suite, I explored the website’s requests and endpoints but initially found nothing significant. The static website lacked login or signup options, limiting potential vulnerabilities. However, knowing it was built on WordPress, I used WPScan to check for known vulnerabilities. The scan revealed several Common Vulnerabilities and Exposures (CVEs) and outdated plugins.

Explanation of Flags:
1. — url https://targetsite.com: Specifies the target WordPress site URL.
2. — enumerate: Enables detailed enumeration. You can specify:
3. ap (All Plugins)
4. at (All Themes)
5. cb (Config Backups)
6. dbe (Database Exports)
7. u (Users) Use the flags based on your scope and the information you want to gather.
8. — api-token YOUR_API_TOKEN: If you have an API token from WPScan, it allows you to fetch vulnerability data from their database.

Most endpoints returned 404 (Not Found) or 403 (Forbidden) errors, but the hacker mindset teaches us that what’s denied is often worth exploring. I used a GitHub tool called 4-ZERO-3 to dig deeper.

To my astonishment, I discovered sensitive information, including names, photos, email addresses, residential addresses, ranks they retired with, and dates of birth. This data, likely stored for communication purposes, belonged to veterans. The criticality of this information and its potential misuse were clear to me.

Government websites typically require vulnerability reports to be routed through NCIIPC or CERT-In. I reported the issue to CERT-In and, considering the Regimental Centre was in my hometown, I decided to notify the concerned authorities directly.

I compiled a detailed report outlining the vulnerability, the exploitation process, and the exposed data. The next morning, I visited the Regimental Centre and requested to meet the senior officer (Adjutant). Fortunately, The Provost Marshal directed me to the senior officer (Adjutant).

In the Adjutant’s office, I presented my findings and demonstrated the vulnerability’s impact. He acknowledged the issue and took me to the Deputy Commandant. After another detailed explanation, the Deputy Commandant made a surprising call — to my father.

When the officer called my father, I was anxious. However, what followed was beyond my expectations. The officer told my father, “Sir, your son is a genius with a brilliant mind. We need more people like him in our nation. We are proud of him.” Hearing these words brought tears to my eyes. It felt like a fulfillment of my dream to serve the armed forces, albeit in a different way.

We had an engaging discussion about my SSB experiences, cybersecurity, and the officers’ academy days. The officers appreciated my efforts, granted me a letter of appreciation, and encouraged me to continue contributing to the nation.

This experience was a turning point in my life. Although I couldn’t wear the uniform, I felt I had served the nation in my way. It reaffirmed my belief that patriotism can be expressed in countless ways beyond traditional roles.

To my fellow cybersecurity enthusiasts: keep learning, stay ethical, and contribute wherever you can. Every effort, no matter how small, makes the world a safer place.

Thank you for reading my story!
Don’t forget to like, share, and comment! Keep learning and growing!!

LinkedIn: https://www.linkedin.com/in/guru-prasad-pattanaik/

Instagram: https://www.instagram.com/guru.p05/

Twitter: https://x.com/gurupra9161