I saw this question being asked on here years ago with few but interesting answers. I'd imagine that a lot of you still have some pretty interesting stories to tell about some crafty workarounds.
I was located in Sydney Australia, trying to fix a literally showstopper bug in the signal processing of the bank of Land Mobile Radio base stations that were being used to coordinate the stage management for the Opening Ceremony of the London Olympics. Less than 24 hours to go before the final dress rehearsal, and the production company was preparing to spend megabucks to pull all the radios out and replace them with a different manufacturer's, unless the bug was fixed in the next few hours.
I ended up hacking the radio firmware to bypass the signal processing and stream the raw received samples from London to Sydney. I hacked a radio in Sydney to feed the London samples into its signal processing, then streamed the resulting samples back to the transmitter in London. I now had an LMR base station running in real-time over the Internet, with the radio hardware in London and the signal processing in Sydney. I was able to attach a JTAG hardware debugger to the DSP in the radio running the signal processing and find the bug. From there we did a firmware release and uploaded new firmware into the radios in London. Our radios stayed in and handled the stage management for the Opening Ceremony of the London Olympics.
Edit:
The customer must have been happy with the outcome, as they ended up using our radios for the Sochi Winter Olympics two years later.
After playing a lot of Tetris Friends, I started getting deja vu. Sometimes, after starting a new game and placing maybe 10-20 pieces, I would think, "Haven't I seen this exact board before?" Eventually I tested my theory through brute force: I would start a fresh game, write down the first 10 pieces, then restart. Over and over and over, until finally, I found it -- a duplicate!
Apparently, Tetris Friends only seeded their RNG once, and there were only a few hundred possible seeds (perhaps 256? I didn't check). So if you got the same initial seed, you got the exact same pieces for the entire game. Tetris Friends also happened to have a highly competitive global leaderboard, where you tried to clear 40 lines as fast as possible... and I happened to have recently learned how to use AutoHotKey. You see where this is going.
I restarted over and over until I got a good seed, then carefully played through a whole game, copying my inputs into a giant AutoHotKey script. Tetris Friends was a flash game, meaning it could only process so many inputs per second, so I had to insert a short delay between each input. Testing/debugging was a nightmare too, because I had to restart until I found the same seed again! But after a few hours, my script made it all the way through a game, and bam, I was #1 in the world.
Felt real good for about a week, until Tetris Friends purged the leaderboard. :^)
I had a similar experience about a decade ago with an online rock-paper-scissors vs. computer site. I quickly figured out the pattern and was able to win a few dozen times in a row (late night) and got bored, but it was a very intriguing exercise.
i wrote a script that played Facebook bejeweled for me. took screenshot and then pick out the pixel colors from a grid since they're all different and mostly static. then simulated some clicks. it was a bad player but stupid fast so it racked up the score nonetheless.
Had a similar but simpler experience with Telegram's Lumberjack game [1]. Wrote a small Python script that scans a few pixels of screen and sends arrow key signals when sees a branch. The game was gradually speeding up to the point that script was not able to keep up yet it was beating any human easily.
In my first job I work on a database product in development that leaked memory slowly, leading to crashes after hours of usage. The software was written in C and there were no tools like Purify or Valgrind back then to deal with memory problem. It was a vexing problem that got punted until release time, when it became a show stopper.
I looked into the problem and found that the memory allocation used malloc and free. I then defined macros for malloc and free in a common header to call my_malloc and my_free functions with the standard __FILE__ and __LINE__ macros passed in as parameters. Re-compiled the whole program with the macros, which redirected every call of malloc and free to my functions. My functions logged all the calls with the allocated memory pointer, the filename, and the line number. Once I collected enough log data from test runs, I sorted the lines in the log file by the memory pointer address. Every pointer address should come in pair, one from the malloc() and one from the free(). The odd number pointer addresses are the ones with missing free(). And I got their filename and line number right there.
I applied for a job at a medical cannabis operation in Canada right before legalization hit.
I was curious to see if they had checked out my personal website, so I grabbed my webserver logs and I recognized one IP from the city the job was based in. More than likely, the public IP of the business in question.
On a whim, I ran the IP through Shodan.io and it showed that 47808 was open - The BACNet protocol. I had no idea what this protocol was, but I was able to download some odd enterprisey software that had the ability to speak BACnet. I connected to the IP:Port and found a long list of connected things - water levels, temperatures, lights, and more.
I wasn't interested in doing anything questionable with this information. I'm not even certain it allowed me to do anything more than look, but I like to think I could have e.g. turned off lights or adjusted temperatures in the grow rooms. I made the (risky) executive decision to let the hiring manager know that their public IP had an important port open to the world. I wound up getting hired by that business, and the first task I was assigned was to fix the open port.
I'm not sure if that counts as "hacking", but I was proud of finding the vulnerability / misconfiguration nonetheless.
Being in Scotland and poor to the point of trying to eat on a few pounds ($5) a week.
I discovered (by watching another customer) that a certain kind of very expensive Scottish smoked salmon was 4 pence more expensive than the price listed on the shelf. The supermarket (Tesco) also has a large sign stating that if the price was wrong on any item, they would both give you the item for free and the money it costs.
I promptly went and loaded up a cart with nothing but smoked salmon.
It took 42 minutes of arguing with different store managers and pointing to the sign, but I managed to eat for free that week and even had enough to pay my electricity bill.
The reason I don’t feel bad is that particular store very, very often charged the customers more than the listed price and no one ever seemed to catch them.
I went in three months later, and the same salmon still rang up at 4p more than it was listed at.
One time I accidentally overwrote my hard drive with dd while making an installation thumbdrive. While unfortunate, it was only the first 8GB or so. This nuked the partition table, bootloader, and start of the Windows partition, but fortunately my daily-driver, still-running Linux system partition was unaffected. I kept my cool and figured it was recoverable. I ended up recovering the partition table from RAM and writing it back to the disk and reinstalling a bootloader. Talk about a nervous reboot! I'm just glad the power didn't go out...
Ah, this reminds me of the time a few years ago when I accidentally deleted `sudo`. A lot of stuff broke and it was interesting running around in a system where things would sort of work, but sort of not really.
I learned then that sudo was really just a binary, so I tried to get a copy and put it in the right place. I couldn't, though, because I didn't have write permissions to it without sudo!
In hindsight I guess I could've just run the binary itself to get access, or put it elsewhere on my $PATH, or use `su` instead. Not sure if I tried those things, it was a while ago and I was pretty new to Linux. Maybe I got the file from the internet and didn't know to make it executable.
Anyway, what I ended up doing was booting up from a live Ubuntu USB and copying the sudo from the live environment to my installation on disk. It worked, and my newbie self felt like a proper hacker, fixing the unfixable. For one day I was a heart transplant surgeon :)
Oh, what fun! Our system administrator decided once to duplicate the boot partition of a server, so we had a spare should the usual one fail. He used dd of course. And the next day, he was off to a USENIX conference. What he had forgotten, though, was that the first partition on the disk actually contained the partition table! (This was on Solaris, or possibly SunOS.) Since the source disk and the target disk had different partition tables, things started falling apart. It did not happen all at once, probably due to caching. But we started getting more and more weird errors. It took me half the day to figure out what had happened. By great luck, I had actually saved a copy of all partition tables just a few days prior. They were in human readable form, but good enough for me to restore the damaged partition table to its original state. A reboot later, all problems were gone.
That’s great, I had the same problem but didn’t hack it like you did unfortunately. I overwrote the first 30 GB of my 6 TB HDD and am trying out GetDataBack Pro to get my files back, no luck so far. I had some tens of thousands of photos that I can’t replace.
Oh yeah overwriting the partition table can be "fun". Once wrote the partition table of a floppy to my hard drive. That was when I was still running DOS. Used a disk hex editor (I think it was part of pctools) to change it back to the correct values.
Writing a first-gen PSX (Playstation) game, NASCAR Racing, we had an in-house physics engine that needed the physics thread to run on a constant 30 Hz. PSX SDK didn't have pre-emptive multi-tasking. Sony US "checked with Japan" who said we were out of luck.
Then I remembered my old Atari 8-bit programming days and the vertical blank interrupt (which there was on the PSX, but we couldn't run all the physics in the VBI time allotment). What we could do though, was to use setjmp/longjmp to switch contexts between threads and then hack the vertical blank interrupt to save off the registers from the main thread, longjmp back to the physics thread, which would then restore the registers of the main thread and longjmp back to it. Bingo, 29.94Hz pre-emptive two-threading (which was all we needed).
(I don't recall if we actually used setjmp/longjmp or if we just stored away the PC register to return from the interrupt and monkeyed with it to return from the interrupt to the physics thread [as if it was interrupted at the start of a cycle of the engine] and then return from there to code that would restore the registers and make it appear to the main thread that it was returning from a VBI.)
About 10 years ago, I worked for a Toyota supplier. My job as, the only software guy in a house full of hardware people, was to find out every single Toyota and Lexus dealership in America, and then find out what kind of cell phone reception they had (3G, Edge or none) for each of the major carriers (AT&T, T-Mobile and Verizon, IIRC). They imagined this would be done manually so they estimated a few weeks to do the job.
Within 3 days, I wrote a script to locate the dealerships, load each of the carriers' web pages, enter the address/coordinates into their coverage map, then take a screenshot of the results. Each of the carriers, of course, had their own way of displaying the coverage information, but it was mostly a color-coded map (example: green area = 3G, blue area = edge, gray area = no reception). So, I wrote another script to process the screenshots and deduce what kind of reception they had at the dealership (some 3500 in total, if I remember right).
Unfortunately, this feat was met with the proverbial "great, while you're fixing things can you also fix the printer" kind of response, but damn if I wasn't proud to compress a few weeks into 3 days in a clever way, even if I had no one to appreciate it.
By the way, the reason we needed this information is because we were rolling out Lexus RES+ (an early version of the remote engine starter) and they wanted to make sure that every single one of the dealerships could demo the service to potential customers.
Super minor compared to a lot of the stuff here, but when I was a young data scientist I had the job of creating a model to tell our call center sales agents when an ancillary product would be a good fit to upsell to customers, and when not to waste their time. The only problem: integrating it into the sales application was nearly impossible, IT said it was a huge effort, nobody wanted to do it.
So what I did was built a greasemonkey script to watch the DOM as they went through the sales flow and record the values as they were entered. I then built decision tree model of moderate size, exported it to a string, converted that into a big javascript function. Then, if the model said things were looking good, I modified the DOM to insert a little "alert" box on the top of the page. I handled all the state manually in case they navigated away or did things in a funny order. I knew zero JS or web development at the time, so this was SUPER hacky. But it worked! I then manually walked around to sales agent computers and installed the greasemonkey extension/script. I even got IT involved eventually to serve the script from an internal endpoint, allowing for easier updates.
The actual model ended up being just okay, and didn't have a huge impact on actual sales, but the exec team was SUPER impressed with the delivery mechanism. We had a parent company and they loved to brag to their superiors how we had deployed a machine learning model "for zero IT cost". They had me a do a writeup and everything in case someone wanted to copy my revolutionary idea. I'm sure some guy at the HQ took a look at my writeup and got a good laugh out of how incredibly obtuse, insecure, and hacky the whole thing was.
That said, I still think it was a clever solution and even wondered about turning it into some kind of product at one point.
I was looking for an apartment to rent (circa 2010-ish), on Craigslist and Kijiji. Neither had a map feature, and both suffered from a lot of reposts. If a nice place came up, you had to be extremely responsive (like, contact the poster within minutes of the ad going up) to stand any chance against competing renters.
I wrote a pile of scripts that scraped both sites, parsed and cached the data, and displayed it on a map. I was able to set search criteria based on location, and kludged it so that if something good came up, the system would automatically email the landlord if they made the email available, text them if they left a number, and text me a notification with a link.
The scraper eventually got pretty fancy as I expanded the service across multiple cities - it self-throttled and self-scheduled, based on the average frequency of postings on each platform in each city at a given time of day. The repost detector was working pretty well too, it added a layer of data to the results (eg, "this rental was re-listed 12 times in the past two weeks).
Once I found a place I liked, I made the site public and shared it with some friends, and it didn't take long until I was seeing steady daily use. The site even won an award from CIRA.ca!
I wrapped things up when I learned of Craigslist suing Padmapper for scraping their data. I wasn't monetizing, it was a cool project, but it felt like it was done.
Thanks! I found at least one place using padmapper back in the day that worked out really well! In 2022 craigslist still sucks at removing duped postings for apartments, cars, etc.
I discovered that I could use VBA from Word to shell out to cmd bypassing all of the security. This opened a world of possibilities...
This being the era of AOL punters I created a neat VBA utility in a Word doc to that used netsend to spam other computers in the school. Shared the file widely.
Then I used the technique to explore the network... eventually was able to use net use to connect to a remote drive in the school administrator's office where I found a text file of every student birthday, home address, and SSN... which I then could use to sign into anyone's account (password was derivative of name and SSN).
Culminated with pwning a school rival by putting all his files in a password protected zip on the desktop and dropping a batch file in his startup folder that printed a text file with the password to the printer when he logged in.
Reminds me of high school. We also had locked down computers, but one day I noticed that one of the programs on the system had a directory structure of hundreds, if not thousands, of executable plugins that needed run-access for the program to execute properly.
My hypothesis was that the IT guys were lazy and just unblocked anything in that directory. Even if a networked computer didn't have this program on it, you could just recreate the directory structure and drop any portable executable there and run it. Pretty soon we were all playing brood war in every free period.
School PC "hacking" and bypassing locking was a great past-time.
One of the schools I went to had a computer lab in the Library, ran on Windows NT 4. I found so many work-arounds to their security controls that they ended up making me an admin and told me to fix them all. That was my intro into group policies and domain management.
Another student made a credential-phishing program - it was a full-screen VB6 app that looked like the normal NT4 login. They'd log in, launch the credential-phishing app, and then walk away. It wrote the stolen creds to their 'home' drive and then logged out after showing some fake "There was a problem with your password, try again" message.
Many years later, but still on NT4/Windows 2000, at technical school we found that the campus-wide internet was run through a single Windows-based proxy, with rules on the router to prevent traffic to the internet except from that proxy.
They also did various content-filtering things, allowing only certain white-listed sites.
At that time Windows's networking was iffy - and if it detected that another computer was using the same IP, it'd disconnect itself from the network.
Our class had a computer lab with removable 3.5" drives and we were learning about setting up networks. Well, install a Linux distro, install squid with rules to allow all traffic. Then once it was working, change your machine's IP to that of the proxy. Now the entire campus's internet traffic was going via your lab machine, and you had free access to the internet. We just kept a 'proxy' disk around and put it in anytime we needed something that wasn't whitelisted. I don't know if the network admins either didn't care, or didn't know because it wasn't fixed for a few years.
I had something similar. They installed Windows 95, but the DOS files Windows 3.1 files were still there too. I was able to open Solitaire, QBASIC, and other programs, including the Windows 3.1 registry editor, which can display and edit parts of the Windows 95 registry but not all of them. (The Windows 95 registry editor did not load, due to the policies)
Using VBA in Microsoft Word, I also had figured out, too.
Once the teacher wanted took the students to the computer lab to make greeting cards, but the program to do so was no longer in the menu; fortunately I knew where it was and was able to describe (using VBA in Microsoft Word) so that everyone in the class could load the program.
Later, they removed many restrictions but all files were reset when rebooting, so any program could be accessed without damaging it.
Something less prohibited was defining a password for print jobs to avoid getting them mixed up with everyone else's.
After reading an inspiring story in the mid 90s about someone that collected rejection letters for jobs they weren't qualified for (CEO of a national rail carrier etc), I turned to a life built on a similar idea. I applied for jobs I thought I could do, using mostly made-up resume information. If I was scheduled for an interview I would study like mad every waking hour until the interview. My career was absurdly successful by any measure and I retired rich 30 years early.
The resume is the dumbest blocker in our society. If you can do the job, just write that on your resume along with whatever else you think they want to see.
A bit younger here, but back in elementary school we got chromebooks when chromebooks were barely becoming a thing (replacing the rack of netbooks that was normally wheeled into our classroom).
Two things I did that were very fun:
1. School blocked a lot of popular flash game websites. My friends and I downloaded a bunch of flash games and threw together a website that we hosted on our chromebooks using '200 OK - Webserver for Chrome' or something. It was just a bunch of janky HTML and CSS, but we got it working. The school didn't block it because it was on the local network. We handed out slips of paper to our friends with the local IP address of my laptop. At one point someone made a Google Site with a link to the local address. It was a hack, but playing RUN 2 on your chromebook during social studies in 5th grade... man, those were the days.
2. Around that time one of my friends stumbled across crouton, a way to run Linux on a chromebook in parallel with ChromeOS. After a lot of trial and error (didn't know what bash was at the time), we were able to get Ubuntu installed. I remember downloading Blender and trying to do a fluid sim, which was super slow. I was able to render the first 20 frames of a domino and fluid animation using Cycles, which frames I still have sitting on my hard-drive somewhere to this day.
Some of my first hacks, older me is surprised how much younger me was able to get done given how much younger me didn't know.
A lot of older techies bemoan the fact that phones and appliance-like computers lock everything down and obscure the inner workings, claiming it will stop kids from learning to hack. I think this is a great counterpoint... some kids are going to find ways around things no matter what!
When Web Sockets were still not finalized, I was writing a C# program using them but there wasn't a functional library available. There was however a nice open-source Java implementation. I copied it into Visual Studio, changed all the file extensions, and spent half an hour hitting build then fixing syntax and import red squigglies. It eventually built successfully and happily sent data to a NodeJS front end for years.
Cool. I did something similar with an old C program from the 80s by Peter Langston called Riffology, which was the algorithm used to generate the procedural music in Ballblazer.
I pasted the C files into Eclipse, deleted some `register` keywords, made a bunch of tweaks, and it ran fine as Java.
Not that hacky or mind-boggling, but does involve a hex editor and lots of money...
I added support for the '\ ' PostScript escaped space sequence to a custom, high-performance PDF parser.
A former employer used this to derive key figures from financial statements. Any change to the parser had to be Pareto-optimal: so if you modified the parser, it should not fail to parse any key figure that was previously possible to parse. Adding this improved reading word-wrapped text in hundreds of cases and key figures in dozens; I recall that my bosses thought it must be a mistake, and that I had to convince them by finding the right section in some Adobe PDF spec.
I wasn't an expert at the PDF format. But stumbling on a number split in two by apparently nothing, and digging up a 0x5C 0x20 '\ ' with a hex editor, I seemed to recall that PDF was built on top of PostScript, and that TeX / LaTeX syntax was somehow related to PostScript. So it struck me that what was a literal backslash in the PDF must just be an escape sequence.
I often create screen recordings for my classes, but it's very boring and time consuming. I'm a perfectionist, and if I mistype a command I prefer to re-record everything. Moreover, every time one of the tools used in the videos gets a significant update, I feel compelled to redo the video.
I have started using xdotool [1] to create bash scripts that send mouse clicks and keystrokes to apps. Interleaving calls to xdotool with the "sleep" command [2] produce a convincing effect. If I need to redo a video to fix typos or after a program update, I just fix the bash script and restart the recording.
Alas, the only thing that is missing in my videos is the sound of keyboard clicks… But nothing is perfect!
For those who weren't or haven't, it was a geofenced, anonymous message board app targeted to college students that became fairly popular over the first two years of its existence before gradually fading into obscurity and finally being shut down in 2017 (but as of 2021 was rebooted with pseudonymous accounts, IIRC). Users could see any messages within a certain radius (0.5 miles or so, I think) and messages could be upvoted and downvoted, and were sorted by their vote score. Messages with a score of -5 disappeared forever, and I think also eventually aged out.
Being a chaotic sophomore with some Android experience, I decided it would be fun to decompile the app and see how it worked. I discovered that each device was assigned an ID based on a timestamp, IMEI, and a few other pieces of information that could be easily spoofed, by calling a fixed HTTP endpoint to generate as many new IDs as I liked.
I generated ~500 or so IDs using some Java code, hardcoded them into a .class file, and added some hooks to intercept existing calls to set up the Android UI and add my own event listeners. From there I added a button to the app's menu bar with a radiation hazard icon that would use the generated IDs to nuke every message in range of the user, downvoting them all to -5 and causing them all to disappear instantly. I also added the ability to long-press the upvote and downvote buttons, which would bring up a dialog with a slider allowing the user to upvote or downvote any post up to 500 times, sending it to the top of the list (or downvoting it to oblivion). Finally, I rebuilt the app with my added .class file patch.
Needless to say, this was a source of great fun and mischief for my friends and I. The most entertaining event was attending a hackathon at our (much larger) rival university's campus, where we nuked every local post a few times a day for 72 hours and voted our own posts up 500 times.
It was fun to mess with for a few months or so. We never distributed the patched app, for obvious reasons, and we never used it for anything truly malicious beyond being a mild local nuisance denial-of-service.
In the early 90s, when ECUs were just becoming a thing, my colleague, who was a weekend rally driver, plonked one on my desk and asked if I could figure out how it worked and, if possible, to tune engine parameters for maximum performance.
I identified the microprocessor as a 6502, based on board topology, even though all IC markings were removed. At the time (before the internet), I could not find a 6502 disassembler, so I wrote my own. I successfully decompiled the code, figured out how it worked and found the parameter "maps" stored in ROM.
Loaded these into Matlab and wrote scripts to allow my colleague to tune the maps and write them back to EEPROM.
It was a couple of weekends' work for me, and I never thought about monetizing the knowledge. Several years later, I met another colleague who did the same for the Mazda RX7 ECU, and made a tidy side income selling "performance ROMs". C'est la vie.
A few years ago, the company I work at switched to using Alpine-based docker images for most containerized things. One side effect was that our Ansible playbooks (running from inside one of these containers) would fail with inconsistent network timeouts when targeting a couple thousand servers. It turned out that the issue wasn't with the network nor with Ansible. The way that Ansible invoked some library functions for keeping track of SSH connections caused it to create a bunch of POSIX semaphores via sem_open().
glibc had a dynamically allocated data structure to keep track of semaphores, but musl libc only had a fixed-size 256 element array. When the semaphore limit was exhausted, Ansible would fail to keep track of the connections, resulting in a network timeout error message. I fixed the problem by forking musl's semaphore functions, making the array resizable, and loading the implementation with LD_PRELOAD: https://github.com/chenxiaolong/musl-sem-ext. Worked perfectly for 6 years until we decommed our data center :)
[+] [-] femto|3 years ago|reply
I ended up hacking the radio firmware to bypass the signal processing and stream the raw received samples from London to Sydney. I hacked a radio in Sydney to feed the London samples into its signal processing, then streamed the resulting samples back to the transmitter in London. I now had an LMR base station running in real-time over the Internet, with the radio hardware in London and the signal processing in Sydney. I was able to attach a JTAG hardware debugger to the DSP in the radio running the signal processing and find the bug. From there we did a firmware release and uploaded new firmware into the radios in London. Our radios stayed in and handled the stage management for the Opening Ceremony of the London Olympics.
Edit:
The customer must have been happy with the outcome, as they ended up using our radios for the Sochi Winter Olympics two years later.
[+] [-] dilawar|3 years ago|reply
[+] [-] paphillips|3 years ago|reply
[+] [-] nemo1618|3 years ago|reply
Apparently, Tetris Friends only seeded their RNG once, and there were only a few hundred possible seeds (perhaps 256? I didn't check). So if you got the same initial seed, you got the exact same pieces for the entire game. Tetris Friends also happened to have a highly competitive global leaderboard, where you tried to clear 40 lines as fast as possible... and I happened to have recently learned how to use AutoHotKey. You see where this is going.
I restarted over and over until I got a good seed, then carefully played through a whole game, copying my inputs into a giant AutoHotKey script. Tetris Friends was a flash game, meaning it could only process so many inputs per second, so I had to insert a short delay between each input. Testing/debugging was a nightmare too, because I had to restart until I found the same seed again! But after a few hours, my script made it all the way through a game, and bam, I was #1 in the world.
Felt real good for about a week, until Tetris Friends purged the leaderboard. :^)
[+] [-] conorcleary|3 years ago|reply
[+] [-] 8n4vidtmkvmk|3 years ago|reply
[+] [-] 4m1rk|3 years ago|reply
[1] https://telegram.games/telegram-games/lumberjack/
[+] [-] ww520|3 years ago|reply
I looked into the problem and found that the memory allocation used malloc and free. I then defined macros for malloc and free in a common header to call my_malloc and my_free functions with the standard __FILE__ and __LINE__ macros passed in as parameters. Re-compiled the whole program with the macros, which redirected every call of malloc and free to my functions. My functions logged all the calls with the allocated memory pointer, the filename, and the line number. Once I collected enough log data from test runs, I sorted the lines in the log file by the memory pointer address. Every pointer address should come in pair, one from the malloc() and one from the free(). The odd number pointer addresses are the ones with missing free(). And I got their filename and line number right there.
[+] [-] Dedime|3 years ago|reply
I was curious to see if they had checked out my personal website, so I grabbed my webserver logs and I recognized one IP from the city the job was based in. More than likely, the public IP of the business in question.
On a whim, I ran the IP through Shodan.io and it showed that 47808 was open - The BACNet protocol. I had no idea what this protocol was, but I was able to download some odd enterprisey software that had the ability to speak BACnet. I connected to the IP:Port and found a long list of connected things - water levels, temperatures, lights, and more.
I wasn't interested in doing anything questionable with this information. I'm not even certain it allowed me to do anything more than look, but I like to think I could have e.g. turned off lights or adjusted temperatures in the grow rooms. I made the (risky) executive decision to let the hiring manager know that their public IP had an important port open to the world. I wound up getting hired by that business, and the first task I was assigned was to fix the open port.
I'm not sure if that counts as "hacking", but I was proud of finding the vulnerability / misconfiguration nonetheless.
[+] [-] alasdair_|3 years ago|reply
I discovered (by watching another customer) that a certain kind of very expensive Scottish smoked salmon was 4 pence more expensive than the price listed on the shelf. The supermarket (Tesco) also has a large sign stating that if the price was wrong on any item, they would both give you the item for free and the money it costs.
I promptly went and loaded up a cart with nothing but smoked salmon.
It took 42 minutes of arguing with different store managers and pointing to the sign, but I managed to eat for free that week and even had enough to pay my electricity bill.
The reason I don’t feel bad is that particular store very, very often charged the customers more than the listed price and no one ever seemed to catch them.
I went in three months later, and the same salmon still rang up at 4p more than it was listed at.
[+] [-] alhirzel|3 years ago|reply
[+] [-] pedrovhb|3 years ago|reply
I learned then that sudo was really just a binary, so I tried to get a copy and put it in the right place. I couldn't, though, because I didn't have write permissions to it without sudo!
In hindsight I guess I could've just run the binary itself to get access, or put it elsewhere on my $PATH, or use `su` instead. Not sure if I tried those things, it was a while ago and I was pretty new to Linux. Maybe I got the file from the internet and didn't know to make it executable.
Anyway, what I ended up doing was booting up from a live Ubuntu USB and copying the sudo from the live environment to my installation on disk. It worked, and my newbie self felt like a proper hacker, fixing the unfixable. For one day I was a heart transplant surgeon :)
[+] [-] hanche|3 years ago|reply
[+] [-] AlexSW|3 years ago|reply
[+] [-] bentcorner|3 years ago|reply
(And its HN thread, with other recovery stories: https://news.ycombinator.com/item?id=25491790)
[+] [-] Fethbita|3 years ago|reply
[+] [-] nedt|3 years ago|reply
[+] [-] edent|3 years ago|reply
I discoveted that, with a lot of tapping at exactly the right time, I could launch the marketplace.
With a lot of tapping at the right time I could trigger a voice search.
I then told it to install an app which disabled the lock screen.
With, again, a lot of tapping at just the right time and place I was able to launch the app and get into the phone.
Led to my first bug bounty (a new Samsung phone!) And my first million view YouTube video.
https://shkspr.mobi/blog/2013/03/new-bypass-samsung-lockscre...
[+] [-] sokoloff|3 years ago|reply
Then I remembered my old Atari 8-bit programming days and the vertical blank interrupt (which there was on the PSX, but we couldn't run all the physics in the VBI time allotment). What we could do though, was to use setjmp/longjmp to switch contexts between threads and then hack the vertical blank interrupt to save off the registers from the main thread, longjmp back to the physics thread, which would then restore the registers of the main thread and longjmp back to it. Bingo, 29.94Hz pre-emptive two-threading (which was all we needed).
(I don't recall if we actually used setjmp/longjmp or if we just stored away the PC register to return from the interrupt and monkeyed with it to return from the interrupt to the physics thread [as if it was interrupted at the start of a cycle of the engine] and then return from there to code that would restore the registers and make it appear to the main thread that it was returning from a VBI.)
[+] [-] mirkules|3 years ago|reply
Within 3 days, I wrote a script to locate the dealerships, load each of the carriers' web pages, enter the address/coordinates into their coverage map, then take a screenshot of the results. Each of the carriers, of course, had their own way of displaying the coverage information, but it was mostly a color-coded map (example: green area = 3G, blue area = edge, gray area = no reception). So, I wrote another script to process the screenshots and deduce what kind of reception they had at the dealership (some 3500 in total, if I remember right).
Unfortunately, this feat was met with the proverbial "great, while you're fixing things can you also fix the printer" kind of response, but damn if I wasn't proud to compress a few weeks into 3 days in a clever way, even if I had no one to appreciate it.
By the way, the reason we needed this information is because we were rolling out Lexus RES+ (an early version of the remote engine starter) and they wanted to make sure that every single one of the dealerships could demo the service to potential customers.
[+] [-] extr|3 years ago|reply
So what I did was built a greasemonkey script to watch the DOM as they went through the sales flow and record the values as they were entered. I then built decision tree model of moderate size, exported it to a string, converted that into a big javascript function. Then, if the model said things were looking good, I modified the DOM to insert a little "alert" box on the top of the page. I handled all the state manually in case they navigated away or did things in a funny order. I knew zero JS or web development at the time, so this was SUPER hacky. But it worked! I then manually walked around to sales agent computers and installed the greasemonkey extension/script. I even got IT involved eventually to serve the script from an internal endpoint, allowing for easier updates.
The actual model ended up being just okay, and didn't have a huge impact on actual sales, but the exec team was SUPER impressed with the delivery mechanism. We had a parent company and they loved to brag to their superiors how we had deployed a machine learning model "for zero IT cost". They had me a do a writeup and everything in case someone wanted to copy my revolutionary idea. I'm sure some guy at the HQ took a look at my writeup and got a good laugh out of how incredibly obtuse, insecure, and hacky the whole thing was.
That said, I still think it was a clever solution and even wondered about turning it into some kind of product at one point.
[+] [-] osdotsystem|3 years ago|reply
[+] [-] btbuildem|3 years ago|reply
I wrote a pile of scripts that scraped both sites, parsed and cached the data, and displayed it on a map. I was able to set search criteria based on location, and kludged it so that if something good came up, the system would automatically email the landlord if they made the email available, text them if they left a number, and text me a notification with a link.
The scraper eventually got pretty fancy as I expanded the service across multiple cities - it self-throttled and self-scheduled, based on the average frequency of postings on each platform in each city at a given time of day. The repost detector was working pretty well too, it added a layer of data to the results (eg, "this rental was re-listed 12 times in the past two weeks).
Once I found a place I liked, I made the site public and shared it with some friends, and it didn't take long until I was seeing steady daily use. The site even won an award from CIRA.ca!
I wrapped things up when I learned of Craigslist suing Padmapper for scraping their data. I wasn't monetizing, it was a cool project, but it felt like it was done.
[+] [-] runamok|3 years ago|reply
[+] [-] tiffanyh|3 years ago|reply
School district thought they blocked access to the built-in OS games.
Nope, from any program (Wordpad, etc) you could FILE -> OPEN to find/launch/play Minesweeper.
Nothing makes an 8-year-old feel more like a "hacker" than subverting school controls to play video games, while also gaining cred with your friends.
The good ol' days.
[+] [-] shaunrussell|3 years ago|reply
I discovered that I could use VBA from Word to shell out to cmd bypassing all of the security. This opened a world of possibilities...
This being the era of AOL punters I created a neat VBA utility in a Word doc to that used netsend to spam other computers in the school. Shared the file widely.
Then I used the technique to explore the network... eventually was able to use net use to connect to a remote drive in the school administrator's office where I found a text file of every student birthday, home address, and SSN... which I then could use to sign into anyone's account (password was derivative of name and SSN).
Culminated with pwning a school rival by putting all his files in a password protected zip on the desktop and dropping a batch file in his startup folder that printed a text file with the password to the printer when he logged in.
[+] [-] young_hopper|3 years ago|reply
My hypothesis was that the IT guys were lazy and just unblocked anything in that directory. Even if a networked computer didn't have this program on it, you could just recreate the directory structure and drop any portable executable there and run it. Pretty soon we were all playing brood war in every free period.
[+] [-] grose|3 years ago|reply
[+] [-] paranoidrobot|3 years ago|reply
One of the schools I went to had a computer lab in the Library, ran on Windows NT 4. I found so many work-arounds to their security controls that they ended up making me an admin and told me to fix them all. That was my intro into group policies and domain management.
Another student made a credential-phishing program - it was a full-screen VB6 app that looked like the normal NT4 login. They'd log in, launch the credential-phishing app, and then walk away. It wrote the stolen creds to their 'home' drive and then logged out after showing some fake "There was a problem with your password, try again" message.
Many years later, but still on NT4/Windows 2000, at technical school we found that the campus-wide internet was run through a single Windows-based proxy, with rules on the router to prevent traffic to the internet except from that proxy.
They also did various content-filtering things, allowing only certain white-listed sites.
At that time Windows's networking was iffy - and if it detected that another computer was using the same IP, it'd disconnect itself from the network.
Our class had a computer lab with removable 3.5" drives and we were learning about setting up networks. Well, install a Linux distro, install squid with rules to allow all traffic. Then once it was working, change your machine's IP to that of the proxy. Now the entire campus's internet traffic was going via your lab machine, and you had free access to the internet. We just kept a 'proxy' disk around and put it in anytime we needed something that wasn't whitelisted. I don't know if the network admins either didn't care, or didn't know because it wasn't fixed for a few years.
[+] [-] Tijdreiziger|3 years ago|reply
At the time, I was learning PHP, having stepped up from plain HTML/CSS. I had also discovered that I could run a web server (XAMPP).
So, one PHP script later, and sure enough… command line access through the browser!
[+] [-] smeagull|3 years ago|reply
It's also possible to have binary files that only consist of readable bytes that can be saved in notepad.
[+] [-] dyingkneepad|3 years ago|reply
[+] [-] zzo38computer|3 years ago|reply
Using VBA in Microsoft Word, I also had figured out, too.
Once the teacher wanted took the students to the computer lab to make greeting cards, but the program to do so was no longer in the menu; fortunately I knew where it was and was able to describe (using VBA in Microsoft Word) so that everyone in the class could load the program.
Later, they removed many restrictions but all files were reset when rebooting, so any program could be accessed without damaging it.
Something less prohibited was defining a password for print jobs to avoid getting them mixed up with everyone else's.
[+] [-] LelouBil|3 years ago|reply
Creating a .bat file and double clicking on it got it loading just fine.
I didn't find any cool tricks to do with it besides just running it.
[+] [-] bravoetch|3 years ago|reply
The resume is the dumbest blocker in our society. If you can do the job, just write that on your resume along with whatever else you think they want to see.
[+] [-] sharadov|3 years ago|reply
[+] [-] abrookewood|3 years ago|reply
[+] [-] dgs_sgd|3 years ago|reply
[+] [-] jansan|3 years ago|reply
Sounds better than working as a product manager for 25 years.
[+] [-] throwaway48384|3 years ago|reply
Two things I did that were very fun:
1. School blocked a lot of popular flash game websites. My friends and I downloaded a bunch of flash games and threw together a website that we hosted on our chromebooks using '200 OK - Webserver for Chrome' or something. It was just a bunch of janky HTML and CSS, but we got it working. The school didn't block it because it was on the local network. We handed out slips of paper to our friends with the local IP address of my laptop. At one point someone made a Google Site with a link to the local address. It was a hack, but playing RUN 2 on your chromebook during social studies in 5th grade... man, those were the days.
2. Around that time one of my friends stumbled across crouton, a way to run Linux on a chromebook in parallel with ChromeOS. After a lot of trial and error (didn't know what bash was at the time), we were able to get Ubuntu installed. I remember downloading Blender and trying to do a fluid sim, which was super slow. I was able to render the first 20 frames of a domino and fluid animation using Cycles, which frames I still have sitting on my hard-drive somewhere to this day.
Some of my first hacks, older me is surprised how much younger me was able to get done given how much younger me didn't know.
[+] [-] drewzero1|3 years ago|reply
[+] [-] nickcoury|3 years ago|reply
[+] [-] avidphantasm|3 years ago|reply
[+] [-] superdisk|3 years ago|reply
I pasted the C files into Eclipse, deleted some `register` keywords, made a bunch of tweaks, and it ran fine as Java.
[+] [-] pkphilip|3 years ago|reply
[+] [-] sshine|3 years ago|reply
I added support for the '\ ' PostScript escaped space sequence to a custom, high-performance PDF parser.
A former employer used this to derive key figures from financial statements. Any change to the parser had to be Pareto-optimal: so if you modified the parser, it should not fail to parse any key figure that was previously possible to parse. Adding this improved reading word-wrapped text in hundreds of cases and key figures in dozens; I recall that my bosses thought it must be a mistake, and that I had to convince them by finding the right section in some Adobe PDF spec.
I wasn't an expert at the PDF format. But stumbling on a number split in two by apparently nothing, and digging up a 0x5C 0x20 '\ ' with a hex editor, I seemed to recall that PDF was built on top of PostScript, and that TeX / LaTeX syntax was somehow related to PostScript. So it struck me that what was a literal backslash in the PDF must just be an escape sequence.
[+] [-] ziotom78|3 years ago|reply
I have started using xdotool [1] to create bash scripts that send mouse clicks and keystrokes to apps. Interleaving calls to xdotool with the "sleep" command [2] produce a convincing effect. If I need to redo a video to fix typos or after a program update, I just fix the bash script and restart the recording.
Alas, the only thing that is missing in my videos is the sound of keyboard clicks… But nothing is perfect!
[1] https://github.com/jordansissel/xdotool
[2] https://en.wikipedia.org/wiki/Sleep_(command)
[+] [-] zanecodes|3 years ago|reply
For those who weren't or haven't, it was a geofenced, anonymous message board app targeted to college students that became fairly popular over the first two years of its existence before gradually fading into obscurity and finally being shut down in 2017 (but as of 2021 was rebooted with pseudonymous accounts, IIRC). Users could see any messages within a certain radius (0.5 miles or so, I think) and messages could be upvoted and downvoted, and were sorted by their vote score. Messages with a score of -5 disappeared forever, and I think also eventually aged out.
Being a chaotic sophomore with some Android experience, I decided it would be fun to decompile the app and see how it worked. I discovered that each device was assigned an ID based on a timestamp, IMEI, and a few other pieces of information that could be easily spoofed, by calling a fixed HTTP endpoint to generate as many new IDs as I liked.
I generated ~500 or so IDs using some Java code, hardcoded them into a .class file, and added some hooks to intercept existing calls to set up the Android UI and add my own event listeners. From there I added a button to the app's menu bar with a radiation hazard icon that would use the generated IDs to nuke every message in range of the user, downvoting them all to -5 and causing them all to disappear instantly. I also added the ability to long-press the upvote and downvote buttons, which would bring up a dialog with a slider allowing the user to upvote or downvote any post up to 500 times, sending it to the top of the list (or downvoting it to oblivion). Finally, I rebuilt the app with my added .class file patch.
Needless to say, this was a source of great fun and mischief for my friends and I. The most entertaining event was attending a hackathon at our (much larger) rival university's campus, where we nuked every local post a few times a day for 72 hours and voted our own posts up 500 times.
It was fun to mess with for a few months or so. We never distributed the patched app, for obvious reasons, and we never used it for anything truly malicious beyond being a mild local nuisance denial-of-service.
[+] [-] deepspace|3 years ago|reply
I identified the microprocessor as a 6502, based on board topology, even though all IC markings were removed. At the time (before the internet), I could not find a 6502 disassembler, so I wrote my own. I successfully decompiled the code, figured out how it worked and found the parameter "maps" stored in ROM.
Loaded these into Matlab and wrote scripts to allow my colleague to tune the maps and write them back to EEPROM.
It was a couple of weekends' work for me, and I never thought about monetizing the knowledge. Several years later, I met another colleague who did the same for the Mazda RX7 ECU, and made a tidy side income selling "performance ROMs". C'est la vie.
[+] [-] chenxiaolong|3 years ago|reply
glibc had a dynamically allocated data structure to keep track of semaphores, but musl libc only had a fixed-size 256 element array. When the semaphore limit was exhausted, Ansible would fail to keep track of the connections, resulting in a network timeout error message. I fixed the problem by forking musl's semaphore functions, making the array resizable, and loading the implementation with LD_PRELOAD: https://github.com/chenxiaolong/musl-sem-ext. Worked perfectly for 6 years until we decommed our data center :)