Every time I see news from Guotai Junan, I feel a deep sense of disconnection because during my student years, I hacked into their official website backend, infiltrated their internal network servers, and my impression was that they were a poorly technically equipped, obscure little company. I never expected them to be so powerful.

(Disclaimer: I did not cause any damage, did not take any information, and the statute of limitations has passed.)

Back then, I was still a student, young and ignorant, competitive, spending all night energy on researching technology, mingling in major hacker, red hat, and white hat forums. The atmosphere for technical exchange was much better than now, unlike now when people only dare to communicate privately, and one wrong move can lead to charges of "illegal intrusion into computer systems."

By chance, I obtained a "0day" vulnerability, using quotes because I didn't know if it was a 0day or a 123day. Then I used the universal key to try locks everywhere.

First, I scanned for SQL injection vulnerabilities, then exhaustively guessed the administrator password in the database, reverse-engineered weak passwords from ciphertext, and found the management backend entrance. In the backend, I found an upload interface to upload a web shell, upgraded to a more powerful shell, obtained a shell, escalated privileges, scanned the internal network, and used the 0day to obtain reverse shells from other internal servers, using them as a springboard to continue using the 0day key to poke around for more reverse shells.

What seems like child's play now was the environment of network security back then, combined with youth and competitiveness.