Post cover image
ADMIN DASHBOARD OF https://www.bwdb.gov.bd/

June 18, 2026

Bore-dom, IP Pools, and a Nation’s Water Control: How I Breached Bangladesh’s Water Control Board

ADMIN DASHBOARD OF https://www.bwdb.gov.bd/

Z𝖾𝗋𝗈 B𝗋𝖾𝖺𝖼𝗁 S𝖾𝖼𝗎𝗋𝗂𝗍𝗒

4 min read

It was a quiet afternoon. The kind of boring day where you've already exhausted your quota of scrolling through mind-numbing reels. I don't watch TV, and modern movies rarely catch my interest. Instead, to pass the time, I sometimes find myself watching cartoons — even though I'm a grown man of 21.

But that day, the boredom was hitting differently. I needed an adrenaline rush.

For some people, fighting boredom means playing video games or going for a walk. For me, it means entering a terminal. To me, hacking has never been just a technical skill; it's a superpower. The thrill of OSINT (Open Source Intelligence), the chess game of penetration testing, understanding system architectures deeply, and then finding the exact loose thread to pull it all apart — that is what makes me feel alive.

Five days ago, I decided enough was enough. I wasn't going to target some cheap, low-tier local website. If I was going to burn my time, I wanted a real challenge. I decided to target a government infrastructure.

Specifically, Bangladesh.

The Target and The Mindset

There's a constant geopolitical friction in our region, and cyber warfare is a daily reality. Hackers from across the border frequently target Indian digital assets simply because we are a rising global superpower. I decided it was time to look back.

Now, if you've ever analyzed government websites in developing nations, you'll notice a pattern: they look almost identical, built on outdated, copy-pasted architectures. Years ago, when I was a teenager, I used to do this for fun — juvenile mischief, really. I had defaced their government college sites, breached a couple of education boards, and caused a bit of digital chaos.

But I'm 21 now. Infiltration needs to be sophisticated. I didn't want to mess with educational platforms anymore. I wanted something critical.

Instead of manually searching for specific web domains one by one, I decided to go broader and cleaner: IP Pool Scanning.

An IP pool belongs to a large organization or infrastructure subnet hosting its core services. I grabbed a single CIDR range and targeted a massive 16k IP pool. I initiated a fast, wide-scope recon scan. Out of thousands of addresses:

  • 25 hosts came back alive.
  • 3 hosts showed open, interesting ports.

(Note: This was just one CIDR block. There were plenty more left untouched, but 3 open doors were enough to start with.

Investigating the Open Doors

I began inspecting the three alive hosts:

  1. Host 1: A Cisco router. I checked the version and looked for known vulnerabilities, but it was fully patched and up to date. Dead end.
  2. Host 2: A dummy web test page. Leftover developer trash with nothing of value.
  3. Host 3: I hit enter on the URL, and my eyes lit up. A login panel.

It wasn't just a generic login page for an internal tool; it belonged to a National Water Control Board infrastructure.

Seeing a critical login gateway always gives me that familiar spark. I immediately fired off standard default credentials — admin:admin, admin:password, the usual suspects. Nothing worked.

I shifted gears. I opened the source code to review how the frontend handled inputs, while simultaneously launching a deeper automated suite in the background: subdomain enumeration on one side, directory brute-forcing on the other.

Suddenly, my connection dropped. The main site went completely dark.

Because of the heavy automated scanning load, the fragile government server couldn't handle the traffic and accidentally entered a temporary DoS (Denial of Service) state. I immediately killed all my active tool processes. If a system is this fragile that a basic recon script crashes it, I had to change my strategy.

I could have gone low-and-slow with passive fingerprinting, mapping subdomains and directories without touching the server directly. But that takes a massive amount of time, and frankly, I don't like spending days doing heavy manual labor for free.

I decided to play smarter. I turned to OSINT.

Shifting Through Digital Trash

I spent the next hour and a half digging through the dark, unindexed corners of the internet, searching for leaks, public code repositories, and misconfigured directories.

Eventually, I found digital garbage left behind by negligent developers. To an average person, it was useless junk. To me, it was pure uranium for my reactor.

Tucked away in a web config leak file, I found a set of admin credentials.

With my heart racing, I copied the password and pasted it into the login panel. Error: Incorrect Password.

It was a sharp sting of disappointment, but it came with a massive silver lining — the system didn't say "Invalid Username." The username I found was 100% correct. I had half the keys to the kingdom.

The Custom Script and Infiltration

I refused to use noisy public tools like Hydra for this. Instead, I booted up a custom automation script I had written myself. I loaded a targeted wordlist containing common password variations up to the year 2026.

To prevent crashing the fragile server again, I configured the script to send a request strictly every 2 seconds. A slow, rhythmic, low-profile drip that the application's basic filters wouldn't flag as an attack.

I deployed the script on my VPS (Virtual Private Server), closed my laptop, and went to clear my head.

An hour later, I opened the terminal logs. Match found. The script had successfully cracked the password just 25 minutes into the run.

I copied the string, pasted it into the login form, and hit enter.

Woof. I was in.

The Admin Panel and the Shift in Perspective

Suddenly, I was looking at the master dashboard of a foreign nation's regional water control infrastructure. I had absolute administrative access. On my screen lay detailed maps, geographical locations, real-time reports, and photos of water infrastructure across various regions.

More importantly, I had full control over the user database. I could delete every existing administrator, modify pages, alter data, or upload a massive, loud defacement page proclaiming my victory to the world.

But as I looked at the dashboard, I stopped.

Years ago, my teenage self would have defaced it instantly for bragging rights. But today, that felt like a kid thinking. Defacing a site is loud, messy, and ultimately temporary. I wanted to leave a different kind of mark.

I executed a script that purged all the existing administrative user accounts from the database except for my own backdoor. Then, I generated a set of fresh, open credentials and quietly distributed them into public spaces online, handing the keys of the platform over to the public sphere to let them see what happens behind closed government doors.

( On 10 Comments, I Will Upload A Full Video Of That Hack )

Final Thoughts

At the end of the day, a government domain extension doesn't make a system invincible. In fact, bureaucratic negligence often makes them the weakest links in cybersecurity.

While exploring these boundaries carries serious legal and security risks, sometimes, breaking through isn't about causing structural destruction. Sometimes, it's just about proving a point, testing your own limits, and shattering the illusion of absolute security.