The Taker

Mike's tale of mischievousness

The Taker

Hello everyone, thanks for joining me here on my journey as a writer!

The story is about a vulnerability called default credentials.

I wrote this fictional story as a way for me to share one of my findings from my experiences working as a penetration tester.

Hopefully, everyone would enjoy it despite it being my first time writing such a story!


I woke up at 7 am, feeling groggy and timid.

"I need to get my coffee, this morning feeling always makes my mind works so slow." I complained.

As I tilted from my bed and while reaching out for my phone. I saw a message coming from my friend Zion.

Zion is a friend of mine who is into software development and game development. Zion and I met 2 years ago when I was starting out, he helped me a lot in understanding the process of how applications are developed and other software development-related concepts.

"Hey Mike, are you up?"

"Yeah, I just woke up." I replied.

"Can you help me with something?" Zion replied.

"Sure!!" I replied.

Oh, before we proceed let's not forget to introduce ourselves, shall we?

I am Mike and this is one of the many stories I have. I am an 18 years old kid who had just started hacking recently. I used scripts and tools created by other hackers to do my hacks. And there's actually a term for this type of hacker "Script Kiddies".

And yes, I am a script kiddie. But to be honest I really don't care what they call me, as long as I can hack then I'm going to use everything I can.

That's probably it about myself, now shall we continue with the story?

My mind was still working slowly at this point and my vision was also a bit more blurry than usual.

Ugh, I really do need my coffee.

So I threw off my phone at the other side of my bed and started getting up to get some coffee.

Having gotten my coffee, I'm starting to feel great and awake at this moment. Though I seem to have forgotten something.

Oh right! Zion asked me whether I could help him with something. Shit! Recently, I have been having issues with my memory, I wonder if there's something I can do about this but let's see to it later.

As I went to my bed and reached out for my phone. There was already a message from Zion 30 minutes ago.

"Can you log in to my account and send me my recent grades?"

Here are my credentials:
User: cx50
Password: CerberusEurope

"Will do" I replied.

I'm acquainted with Cerberus at this point. In fact, I have been using it before. Cerberus is a training facility that provides people with training in the IT field and that includes software development, network maintenance, and project management. The quality of what they teach is really great and I learned many things from them that molded my foundation.

As I reached Cerberus's website I was greeted with two options to log in.

A login option for the customers and a log-in option for the staff.

Login as a customer (400 × 400 px).png

Checking both of the login pages, they seem to have the same login design, but when I think about it they probably have different SQL queries that check the types of the account and the credentials. I know this because I studied and developed websites in my free time.

In fact, if I was going to replicate their method. I'm pretty sure the database would look like this:


Whereas the account_type values could be customer or staff.

The SQL query in the customer login page is probably similar to this:

SELECT * FROM users WHERE username = ? AND password = ? AND account_type = customer

On the other hand, for the staff login page I suppose it would be similar to this:

SELECT * FROM users where username = ? AND password = ? AND account_type = staff

To be able to replicate this straight from my mind I know I have learned a lot from Cerberus and Zion and for that I am thankful.

Anyway, let's move on and log in with Zion's account on the customer login page.

Reaching out for my phone to see Zion's credentials and typed it in.

The keyboard became lively and clattery.

Despite my keyboard's noisiness, I love how it makes those clattering noises.

It reminds me of how nerdy I am.

However, it wasn't able to stop me from thinking about the password CerberusEurope.

"CerberusEurope isn't that the name of the company and their location? Now that I think about it I think I've heard from Zion that Cerberus recently reset the password of the accounts. Could this be the password they've assigned as default credentials?" I pondered.

Until then, there is lingering doubt.

Chapter 2: The Start Of The Mischievousness

"Your grades seem fine Zion, especially in your software development subject. You got an A." I texted.

"Of course, it's me we are talking about after all." Zion boastfully replied.

"You're a dick" I replied.

As I laid the phone on my desk, stretching out my body. I started to ponder about that doubt earlier.

I wonder if that was the case?

That is what if CerberusEurope was the password that was set to all of the accounts when Cerberus reset the passwords. In other words, CerberusEurope was set as the default credential to the accounts.

If it's really the case then it would be so fucked up since I would be able to use it to log in to other accounts and maybe I can use it to log in to the staff accounts.

But here's the problem, we need usernames to try it out. I can't use my account because it was already disabled a long time ago. I can't ask someone either for their username because it would be weird.

I need to figure out how to gather usernames, but how do I do that?

Maybe there's a way here somewhere? Maybe a feature that will allow me to see other users registered in the application.

Oh, wait, now that I think about it. There's one feature that will allow me to see other users in the application and that is the messaging feature. Should I try that out?


I was right trying that out, the messaging feature allows me to see other users, and not only that I can also see their usernames and their full name. However, I doubt we can also see the staff here.


"I was wrong!"

In the messaging feature, they were showing the full name of the users and their usernames, and also the staff. It's not weird at all in fact it's actually pretty common. It's just that features like these can be used as leverage for doing malicious things.


In any case, we got what we need now to test our hypothesis earlier. So it would be dumb if we ponder about it more when we can try it out now.

Let's try logging in as Michael Santos on the staff login page under the assumed default credentials, given that he hopefully hasn't changed the password.

michael_login.png cf5f9a13e1b4796d9ad40e180662934b.png.


"I was right!"

"My hypothesis is right!"

"I couldn't have been more excited that it worked, but what are these data?"

"Wait?! Aren't these?!!!!"

"Shit!!! What am I doing?!"

"I need to get out of here!"