![]()
The only way to shut it off would be to pull the plug or change the input source. This way, if someone attempted to power off the projector or mute it, it would revert and continue playing. For example, every 10 seconds, the display would power on and set the maximum volume. In the actual payload, I repeatedly looped commands to keep the rickroll running. This is a sample version of the C2 payload. Thanks to the increased flexibility from the payload, I could also back up and restore receiver settings to the filesystem after the rickroll was over. This script contained various functions that could execute requests to the web interface locally on the receiver. I developed a simple shell script that would serve as a staged payload to be uploaded to each receiver ahead of time. Instead, I used the SSH access on each receiver as the command-and-control (C2) channel. While we could send commands to each receiver using a web interface, it would not be ideal spamming HTTP traffic to every receiver simultaneously. #High school story hack how to#The first thing we focused on was figuring out how to control all the projectors at once. We began to refer to the operation as “the Big Rick.” I gathered a small team across the district and started preparing. A few days later, I decided to share my thoughts with a few close friends. Since almost all students would be back in school, I realized that a senior prank involving the IPTV system was now worthwhile. But in March, the superintendent announced that in-person instruction would switch to an opt-out model on April 5th. Up to this point, in-person instruction was opt-in, with most students staying remote, including myself. Preparationįast forward to the second semester of senior year, early 2021: all the schools were doing hybrid instruction because of the COVID-19 pandemic. I only messed around with it a few times and had plans for a senior prank, but it moved to the back of my mind and eventually went forgotten. Since freshman year, I had complete access to the IPTV system. Like the receivers and encoders, they also have web interfaces and SSH servers. These have typical x86_64 processors and run the enterprise Linux distribution, CentOS. Last but not least, AvediaServers allow administrators to control all receivers and encoders at once. #High school story hack software#These also have embedded software similar to the AvediaPlayers. Encoders are attached to computers that need to broadcast a stream, such as text carousels or morning announcements. They encode the live feed coming from these devices to the AvediaPlayer receivers, which display the stream. Next, AvediaStream encoders connect to devices that broadcast live video. An AvediaPlayer r9300 receiver that connects to displays. Additionally, they run embedded Linux with BusyBox tools and use some obscure CPU architecture designed for IoT devices called ARC (Argonaut RISC Core). #High school story hack serial#These receivers include both a web interface and an SSH server to execute the serial commands. They can send serial commands to their respective device to turn the display on/off, change inputs/volume, switch channels, etc. The system is composed of three products:ĪvediaPlayers are small blue boxes that connect to projectors and TVs. Exterity IPTV Systemīefore moving on, I will briefly explain the IPTV system. This is where I state the disclaimer again: never access other systems in an unauthorized manner without permission. My 14-year-old self stares at the camera I remotely accessed from my iPad. #High school story hack password#These included printers, IP phones… and even security cameras without any password authentication. Of course, we did so immediately, but by then, we had finished scanning the first half of the district’s 10.0.0.0/8 address space - a total of 8,388,606 IPs.įrom the results, we found various devices exposed on the district network. I had a few friends help out with this project - and oh boy, did we scan! Our scanning generated so much traffic that our school’s technology supervisor caught wind of it and came in at one point to ask us to stop. And by “curious,” I mean port scanning the entire IP range of the internal district network. So obviously, I became curious about the technology at my high school. I didn’t understand basic ethics or responsible disclosure and jumped at every opportunity to break something. This story starts with my freshman year when I did not have much technical discipline - a time that I can only describe as the beginning of my script kiddie phase. We are grateful that the D214 administration was so understanding. With that said, what we did was very illegal, and other administrations may have pressed charges. We went a comprehensive 26-page penetration test report to the D214 tech team and worked with them to help secure their network. We prepared complete documentation of everything we did, including recommendations to remediate the vulnerabilities we discovered. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |