BAS Portal Admin Interface

Discovering Default Credentials in BAS Portal Admin Access

Cybersecurity

11/28/2023

Discovery Process

During a security assessment of the BAS portal, I discovered a significant vulnerability in the administrative interface. The portal, accessible at http://bas.iitgn.ac.in:81, was found to be using default credentials, potentially allowing unauthorized access within the IITGN-SSO network.

Initial Investigation

  1. Port Scanning

    • Target: BAS portal (IP: 10.0.137.172)
    • Discovery: Open service on port 81
    81/tcp   open  hosts2-ns

  2. Access Verification

    • Located admin login portal for Smart Office Online
    • Research revealed default credentials:
      • Username: “smart”
      • Password: “smart”

Security Implications

The vulnerability could allow unauthorized users to:

  • Access administrative functions
  • Modify user accounts
  • Add or delete users
  • Manipulate system settings

Responsible Disclosure

After discovering this security issue:

  1. Documented the vulnerability
  2. Reported findings to appropriate authorities
  3. Monitored remediation process

Resolution

The security team took prompt action:

  • Service on port 81 was removed
  • Default credentials were addressed
  • Access controls were strengthened

Impact and Learning

This experience was particularly meaningful as my first bug discovery:

  • Reinforced the importance of security testing
  • Demonstrated the value of responsible disclosure
  • Motivated further security research
  • Highlighted the impact of proactive security measures

Visual Evidence

Below is a screenshot of the admin interface that was accessible:

BAS Admin Portal Interface

Conclusion

This discovery emphasizes the importance of:

  • Regular security audits
  • Strong access controls
  • Changing default credentials
  • Proper network security

Happy (Ethical) Hacking! 🔒

Other Posts
App Script to Auto Shedule meets based on mails

App Script to Auto Shedule meets based on mails

I used Google App Script to Auto check my mail and shedule meet on calender if any

5/12/2023
AutomationGoogle App Script
Technical Lead at EII and E-Summit

Technical Lead at EII and E-Summit

Leading the development of websites for EII (Entrepreneurship Initiative at IIT Gandhinagar) and E-Summit

5/12/2023
Web DevelopmentLeadership
Issue Tracker

Issue Tracker

A comprehensive issue tracking system inspired by IITGN Maintenance Portal

5/12/2023
Web DevelopmentFlaskMySQLPHP
YouTube-Inspired Portfolio

YouTube-Inspired Portfolio

A modern portfolio website with YouTube-like interface for enhanced user experience

5/12/2023
Web DevelopmentAstroUI/UX Design
OWASP Nest: Open Source Contribution

OWASP Nest: Open Source Contribution

Active contributor to OWASP Nest - A gateway project for navigating OWASP resources

12/18/2024
SecurityOpen SourcePythonReactDjango
Software Intern at Ripplica

Software Intern at Ripplica

My role at Ripplica

8/20/2025
AIAutomationPythonGoogle Cloud platformFlask
SRIP Portal Serverless Migration

SRIP Portal Serverless Migration

Modernizing IITGN SRIP portal with serverless architecture - A course project under Prof. Sameer G. Kulkarni

5/12/2023
PythonFlaskServerlessKubernetesKnative
Tico: A Git Clone Implementation

Tico: A Git Clone Implementation

A command-line version control system inspired by Git, developed for Winter of Code 2.0

5/12/2023
pythongit
Interactive Course Timetable

Interactive Course Timetable

A dynamic web application for managing and viewing academic course schedules

5/12/2023
Web DevelopmentFlaskPythonCI/CDAutomationGoogle App Script
Innovation Journey: My Experience at IIT Jammu Invention Factory

Innovation Journey: My Experience at IIT Jammu Invention Factory

A transformative internship experience focused on innovation, teamwork, and developing mobility solutions for the elderly

7/20/2023
Product DevelopmentProblem Solving
Discovering Default Credentials in BAS Portal Admin Access

Discovering Default Credentials in BAS Portal Admin Access

A case study of responsible vulnerability disclosure: Finding and reporting default credential access in an administrative portal

11/28/2023
Cybersecurity
Discovering and Reporting Security Vulnerabilities in IITGN Computer Labs

Discovering and Reporting Security Vulnerabilities in IITGN Computer Labs

A responsible disclosure of remote access vulnerabilities found in IITGN computer lab systems

12/3/2024
Cybersecurity
My Journey Through NDA SSB: A Personal Experience

My Journey Through NDA SSB: A Personal Experience

A detailed account of my five-day Service Selection Board experience at the Air Force Selection Center, Gandhinagar

7/15/2022
Life ExperienceLeadership
Void Battle: A Terminal-Based Space Combat Game

Void Battle: A Terminal-Based Space Combat Game

An engaging text-based space combat game developed during the Technical Council Competition

11/29/2024
Game DevelopmentPython
Understanding the Dark Web: A Security Perspective

Understanding the Dark Web: A Security Perspective

An educational exploration of the dark web, its technologies, and associated security considerations

11/29/2024
Cybersecurity