From an External Weak Password to Full Internal Access: A School Network Penetration Walkthrough

The author from the "掌控安全学院" shares an experience of a security assessment on an education‑focused network, noting that external exposure is limited but internal assets are highly vulnerable.

While scanning assets, a virtual teaching‑lab was discovered; a weak password allowed immediate login. Attempts at SQL injection failed, and the file‑upload function used a whitelist and renamed uploaded files without extensions, limiting further exploitation.

Inside the system, a list of teachers' names and serial numbers (later identified as employee IDs) was found. Using this information, a colleague accessed the school's WebVPN with the default credentials: the employee ID as username and a password composed of the name plus the employee number.

Further exploration of the service hall revealed an SSLVPN usage request containing credentials. Since no new account was created, the username was assumed to be the employee ID, and the password worked, granting VPN access.

With VPN access, the team located an internal WebLogic server and achieved internal network roaming, demonstrating full penetration from the external weak credential.

This case shows that, for schools, the primary attack vector is information gathering and reliance on weak or default passwords rather than external vulnerabilities.