Cracking IIT Bombay’s FOSSEE Fellowship the bad way, or maybe the intelligent way?
So let’s revert back some months …
I just came to know about a fellowship program by IIT Bombay, named FOSSEE. It’s just 26 hours before hitting the deadline, let’s get into it!
After seeing and reading the documentation, mainly, it included two steps :
- Passing the qualification exam
- Doing a screening task (building something from a short list)
The Qualification Exam
It seemed to be a competitive programming styled exam where you had to code by seeing problem statements and it ran tests (by executing test-cases) on your written code. The twist was .. they were using their own platform.
So, I, obviously being a security enthusiast, saw for vulnerabilities. And, sadly, I found many. Such as, .. well, I’ve mailed them, so, for now, I’ll just stick with the one, that anyone can see, literally, a n y o n e, so, it’s legal, maybe not ...
I saw that when you hit compile/run button, if it’s all good, well then, yay!
If not, it obviously came in with a oh-no message, but it also said things which normally, a platform shouldn’t. (like throwing assert error messages!)
What error, again ?
Python’s assert statement is a debugging aid that tests a condition. If the condition is true, it does nothing and your program just continues to execute. But if the assert condition evaluates to false, it raises an AssertionError
exception with an optional error message.
To summarize: Python’s assert statement is a debugging aid, not a mechanism for handling run-time errors. The goal of using assertions is to let developers find the likely root cause of a bug more quickly. An assertion error should never be raised unless there’s a bug in your program.
And what exactly the messages looked like ? (It shouldn’t be too bad …)
Traceback (most recent call last):
File "<input>", line 4680, in <module>
(...)
AssertionError: SORRY, SIR, BUT IT LOOKS LIKE THE ANSWER IS 3.14
Yes, that bad …
It was something around 3 AM, and tomorrow I had classes from 9–5, so, obviously, I .. couldn’t resist. Come on, I was feeling sleepy!
Gaming the system
Just wrote a script (pwn.sh) which did the following :
- Made a POST request to the entrance exam with a “trigger_payload”
- Grabbed the response, used basic regex, extracted the answers
- Crafted “final_payload” with the answer, sent a POST request carrying that payload
- REPEAT, at last printing “You just passed the qualification exam, sir.”
trigger_payload was just hitting the system with rubbish data, so that it comes with those precious AssertionError(s)
, then you applied some fancy regex on the response, to obviously grab the intended solution, at last, you crafted the final_payload, which threw the solution, yes, you can easily script that, i.e. no source code.
Why all this?
I told you before, right? It’s 18th already, it’s closing in under 21 hours and hey, don’t ask these again, remember, the clock is ticking!
To be honest, I solved most of them, but exploited few, boring and exhaustive questions. For example, (yes, these were the level of questions)
class ArithmeticProgression:
def __init__(self, a=1, d=1):
self.a = a
self.d = d
def get(self,n):
return (self.a + (n — 1) * self.d)
def sum(self,n):
return (n * (2 * self.a + (n — 1) * self.d)) / 2
See? it’s not useful, why not to automate this, wrap this, shred this, destroy it and focus on screening tasks?
I know, my devil side is a little too, .. expressive. Okay, we’re clear with Step 1, let’s head over to Step 2
Screening Tasks
Please note that “only” those candidates who have Passed the Shortlisting Python Quiz are supposed to attempt Any One of the following Screening Tasks:
Screening Task 1: Create a Task Manager Django App
Screening Task 2: Create an Application using PyQt/Kivy
Screening Task 3: Create a Python Desktop Application
Screening Task 4: Port Given Code from Python 2 to Python 3
And those involved doing cool stuff like, writing test cases, use of VCS, …
List of Screening Tasks
Please note that only those candidates who have Passed the Shortlisting Python Entrance Exam are supposed to attempt any one of the following Screening Tasks:
Screening Task 1: Create a Task Manager Django App
Technologies / Libraries to use
Django
Python
HTML
Javascript (Optional)
Git
Instructions
- Create a Github Account or Use your existing one.
- Create a new Repository in your Github Account for this task called fsf_2019_screening_task1
- Commit your code at regular intervals by doing small incremental changes to your code (committing huge blobs of code all at once is not recommended).
The steps in “Description” below are general, minimum and mandatory guidelines. You are free to add well-documented features to your application.
Include a file called requirements.txt that lists all the libraries (including Django) and modules/plugins and their versions. You are not allowed to use pre-built third party Django Apps.
Description for Screening Task #1
- Create a Task Manager Django App using Django, that does the following:
- Authenticate the user
- Allow new users to sign up
- Allow existing users to sign in
- Allow only an authenticated user to create Task
- Allow creation of ‘Teams’
- Team creator should be able to add other Users to their Teams
- Only the Task Creator can edit Tasks that have been created by himself
- Other users from the same team can only view and comment on Tasks that were created by another User
- A User from another Team cannot view/edit/assign/comment on a Task of a different Team Member.
- Creator of Task should be able to assign the Task to one or more Users from his own Team
- In case Task Creator does not belong to a team, he himself will always be assigned to his own tasks.
- Tasks should have the Fields: Title, Description, Assignee, and Status (Planned, In-progress, Done etc.)
- Each Task should have a comments section where all users in one Team can comment on the Task
- An authenticated User can comment on his own tasks (assigned to or created by him) as well as other Tasks of his Team members.
- Write Test Cases for your Django App.
Send the Link of your Github repository to pythonsupport@fossee.in
Evaluation
- Availability, Accuracy and Clarity of Documentation
- Quality and Extent of Test Cases
- Quality of Code
- Adherence to Coding Standards (For example — Code must be Pythonic and follow PEP8 standards)
- The User Experience and Flow (please note the difference between UI & UX)
Similarly there were descriptions for …
Screening Task 2: Create an Application using PyQt/Kivy
Screening Task 3: Create a Python Desktop Application
Screening Task 4: Port Given Code from Python 2 to Python 3
Yes, it’s a fun exercise, it remembers me of, Mungell’s awesome-for-beginners#python, or Tuvtran’s project-based-learning#python.
But you got busted, right ?
Yes, it was mentioned that you have to push the code at “regular intervals”. But busted? (maybe not?)
How?? You’re lying!
Yeah sure, I would have abused GitHub’s commit history to fool the interviewers and have built the app by coding straight for few hours.
Wait ... What, the … what ?!
One of the greatest and worst things with git is that we can rewrite the commit history. I can’t think why git introduced this. Yes, you can simply write a script that goes something like …
> set GIT_COMMITTER_DATE="12/12/12 3:33p +0000"
> set GIT_AUTHOR_DATE="12/12/12 3:33p +0000"
> git commit --amend --no-edit
Optionally
(if you’re messing with existing repository with previous commits)
git rebase <commit-hash>^ -i
(interactive mode)- replace
pick
withe
(edit) on the line with that commit (the first one) - quit the editor (Esc followed by
:wq
in Vim, I love Vim)
But . . .
That would have been unethical (in my opinion). You can say that, all this so far is already “bad & illegal”, but you know what ?
I don’t think so. I hope you remember that I said, “unethical”, which means “not morally correct”, ‘morally’ → moral code, closely related with one’s values, overall, meaning that, it depends on the individual. (Values, Ethics and Government course which we all have to finish this semester so…)
I exploited the qualification quiz, because .. I could have done all the answers and it does not required knowledge (come on). and, the GitHub screening task thingy?.., I think, I could have pulled this off, too, I know Python, I’ve worked with all the technologies which were needed and what about the work hours? .. remember this blog, I can make Elon Musk run for his hours!
But, I didn’t. The qualification quiz was more of a test to see if you understand core programming concepts which I did, so, I created a shortcut, but, the second task, other than requiring knowledge, required commitment, dedication to that fellowship which I surely didn’t had. That program was meant for teaching fellows a lesson, it was about acquiring a good workflow.
If I made the cut, I snatched place of a worthy fellow who loved I.I.T. Bombay, dreamt about this fellowship, worked crazy for months, learning and exploring programming concepts which I didn’t wanted to.
What the gist?
I decided to leave the program, did not submitted the screening task. That’s it.
Originally published on Medium.