How did I hacked the Dutch government and made it into the Hall of Fame?

Heyyyy guyss! It’s me Krishnadev P Melevila, It’s been a long time writing in Medium.

Today, I am here to demonstrate how I was able to hack the Dutch Tax administration, and how I came to make it into the Hall of Fame!

So, Now it’s story time!

It’s the dream of every security researcher to be in any hall of fame and to receive the iconic T-shirt from the Dutch government!

My intention was also the same, I actually started hunting the Dutch website for this t-shirt, But got something more than that! will came to that point very soon.

So the first spark for testing came when one of my friends, who is also a researcher got this t-shirt from the Dutch government by finding some other vulnerability, and he put that as his WhatsApp status, and the professional jealousy inside me woke up :)!

So, I got a GitHub repo containing many Dutch website links and started recon on each of them. Started one by one.

10’s, 20’s,50’s were tested, and nothing interesting….

Feel like, need to give up. But some factors hold me up there.

Finally, after spending 1–2 days on this list, I finally found a vulnerability on a target: fcinet.org

Now let’s talk about vulnerability!

1. I visited the link : fcinet.org

2. I found a login route for the admin/staff

This is a modified page after the patch!

3. The main vulnerability is, There was a register route for the admin!!!

So, one can directly register and log in as an admin!

This was then I reported to cert@ncsc.nl

They rewarded me with hall of fame and a trophee!

Hall of fame: https://www.belastingdienst.nl/wps/wcm/connect/bldcontenten/standaard_functies/individuals/contact/data-leak-vulnerability-abuse-computer-systems/hall-of-fame-cvd

Trophee:

Letter of appreciation:

COMMUNICATION LOGS:

1. Reported through https://english.ncsc.nl/contact/reporting-a-vulnerability-cvd on 25–01–2023 10:45 PM

2. Received automated mail on 25–01–2023 11:10 PM

3. Triaged on 26–01–2023 02:39 PM

4. Asked to contact the organization direclty on 30–01–2023 04:23 PM

5. Contacted them with current status on 30–01–2023 5:31 PM

6. Received confirmation mail on 31–01–2023 02:53 PM

7. Patched and asked for details for hall of fame and trophee on 03–02–2023 07:53 PM

8. Hall of fame added and trophee dispatched on 13–02–2023 09:36 pm

9. Parcel shipped on 15–02–2023 at 02:25 PM

10. Trophee received on 16–03–2023 at 4:00 PM

Don’t forget to follow me on medium and other social media. Also please give your 50 claps for this write-up and that’s my inspiration to write more!!

My Instagram handle: https://instagram.com/krishnadev_p_melevila

My Twitter handle: https://twitter.com/Krishnadev_P_M

My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/