How a teen Hacked GOV school diary server... and got arrested.

in #hack7 years ago

Back in 2014. our government  made online version of school diary. It's basically a platform for school class management (grades, students, absences) and everything that comes with it.

As a student I had access to see my grades, teachers and pretty much it. I was always interested in information security, technology and programming/development and one year later I was bored and started looking at the login page of the teachers. For authentication they use email of the school, 4 digit PIN (which is "1234" for every teacher, yes LOL!) and random generated  token. 

Every school have It's administrator who can control every teacher and whole school online, YEAH - that's what I need! I started searching for vulnerabilities and found outdated third-party software running on the server. Few hours of searching for exploit and I got basic "www-data" privileges on the server. Call me pussy, but I was afraid to do privilege escalation and get root access to the server. I logged out... called my friend and we talked about this.

I told him I pwned GOV school diary using some outdated software running on the server and I failed to get access to administrator of my school. He was like "hahaha, did you tried phishing?" - It ended up that he got access to his school administrator by sending phishing page! LOL! Email server that school diary use don't have spam protection! Nice I said, we sent it to my school administrator and next day we had email and password (administrators don't have tokens, just passwords).

Few days later we pwned few more schools, after a month we had access to all emails and schools in the city, we had fun reading their emails.

One month after all that I came home from school, entered my room - I WAS MONITORS ONLY, my computers are gone, cables are all over the room. I went downstairs and saw some papers on the table, it was search warrant with all the details why - UNAUTHORIZED ACCESS TO GOVERNMENT SERVERS. My parents told me that I have to go to the police for 2 days. Two days later I went there and they told me that they have evidence that I TRIED to hack their servers (which means they don't know I did). It took like 5 hours, we talked and they took ISO image out of my HDDs. They sent me to the place where violent kids go. Ok ,ok.. there was old lady and she was really annoying and literally mocked me. That was pissing me off, but I was calm and just smiling at her :D 

Few months ago I got invitation and they gave me back my equipment, but lost couple of things (DVDs, USB flash...) and canceled the case because lack of evidence..

I'm not high school student anymore so I stopped doing this, It's not cool anymore :P 

#hacking #teen #school
7 years ago in #hack by
$0.06
  • Past Payouts $0.06
  • - Author $0.05
  • - Curators $0.00
4 votes
Reply 0