Elk grove school ratings: Access to this page has been denied.
Top 10 Best Elk Grove, CA Public Schools (2022-23)
School (Math and Reading Proficiency)
Location
Grades
Students
Rank: #11.
Pleasant Grove High School
Math: 66% | Reading: 79%
Rank:
Top 10%
Add to Compare
9531 Bond Rd.
Elk Grove, CA 95624
(916) 686-0230
Grades: 9-12
| 2,570 students
Rank: #22.
Zehnder Ranch Elementary School
Math: 66% | Reading: 75%
Rank:
Top 20%
Add to Compare
9880 Denali Cir.
Elk Grove, CA 95757
(916) 793-3300
Grades: K-6
| 1,313 students
Rank: #33.
Stone Lake Elementary School
Math: 66% | Reading: 74%
Rank:
Top 20%
Add to Compare
9673 Lakepoint Dr.
Elk Grove, CA 95758
(916) 683-4096
Grades: K-6
| 718 students
Rank: #44.
Elliott Ranch Elementary School
Math: 67% | Reading: 71%
Rank:
Top 20%
Add to Compare
10000 E. Taron Dr.
Elk Grove, CA 95757
(916) 683-3877
Grades: K-6
| 687 students
Rank: #55.
Katherine L. Albiani Middle School
Math: 60% | Reading: 75%
Rank:
Top 20%
Add to Compare
9140 Bradshaw Rd.
Elk Grove, CA 95624
(916) 686-5210
Grades: 7-8
| 1,367 students
Rank: #66.
Franklin High School
Math: 57% | Reading: 74%
Rank:
Top 20%
Add to Compare
6400 Whitelock Pkwy.
Elk Grove, CA 95757
(916) 714-8150
Grades: 9-12
| 2,883 students
Rank: #77.
Carroll Elementary School
Math: 64% | Reading: 69%
Rank:
Top 20%
Add to Compare
10325 Stathos Dr.
Elk Grove, CA 95757
(916) 714-0106
Grades: K-6
| 898 students
Rank: #88.
Roy Herburger Elementary School
Math: 62% | Reading: 70%
Rank:
Top 20%
Add to Compare
8670 Maranello Dr.
Elk Grove, CA 95624
(916) 681-1390
Grades: K-6
| 919 students
Rank: #99.
Elizabeth Pinkerton Middle School
Math: 60% | Reading: 71%
Rank:
Top 20%
Add to Compare
8365 Whitelock Pkwy.
Elk Grove, CA 95757
(916) 683-7680
Grades: 7-8
| 1,044 students
Rank: #1010.
Franklin Elementary School
Math: 59% | Reading: 68%
Rank:
Top 20%
Add to Compare
5401 Dorcey Dr.
Elk Grove, CA 95757
(916) 684-6518
Grades: K-6
| 815 students
Rank: #1111.
Pleasant Grove Elementary School
Math: 63% | Reading: 64%
Rank:
Top 20%
Add to Compare
10160 Pleasant Grove Sch Rd.
Elk Grove, CA 95624
(916) 685-9630
Grades: K-6
| 369 students
Rank: #1212.
Cosumnes Oaks High School
Math: 53% | Reading: 71%
Rank:
Top 20%
Add to Compare
8350 Lotz Pkwy.
Elk Grove, CA 95757
(916) 683-7670
Grades: 9-12
| 2,075 students
Rank: #1313.
Arlene Hein Elementary School
Math: 59% | Reading: 66%
Rank:
Top 20%
Add to Compare
6820 Bellaterra Dr.
Elk Grove, CA 95757
(916) 714-0654
Grades: K-6
| 970 students
Rank: #1414.
Toby Johnson Middle School
Math: 60% | Reading: 65%
Rank:
Top 20%
Add to Compare
10099 Franklin High Rd.
Elk Grove, CA 95757
(916) 714-8181
Grades: 7-8
| 1,337 students
Rank: #1515.
Helen Carr Castello Elementary School
Math: 59% | Reading: 62%
Rank:
Top 20%
Add to Compare
9850 Fire Poppy Dr.
Elk Grove, CA 95757
(916) 686-1725
Grades: K-6
| 841 students
Rank: #1616.
Edna Batey Elementary School
Math: 57% | Reading: 62%
Rank:
Top 30%
Add to Compare
9421 Stonebrook Dr.
Elk Grove, CA 95624
(916) 714-5520
Grades: K-6
| 867 students
Rank: #1717.
Raymond Case Elementary School
Math: 53% | Reading: 61%
Rank:
Top 30%
Add to Compare
8565 Shasta Lily Dr.
Elk Grove, CA 95624
(916) 681-8820
Grades: K-6
| 806 students
Rank: #1818.
Elk Grove Elementary School
Math: 51% | Reading: 60%
Rank:
Top 30%
Add to Compare
9373 Crowell Dr.
Elk Grove, CA 95624
(916) 686-3766
Grades: K-6
| 855 students
Rank: #1919.
Arthur C. Butler Elementary School
Math: 50% | Reading: 58%
Rank:
Top 30%
Add to Compare
9180 Brown Rd.
Elk Grove, CA 95624
(916) 681-7595
Grades: K-6
| 842 students
Rank: #2020.
Joseph Sims Elementary School
Math: 53% | Reading: 56%
Rank:
Top 30%
Add to Compare
3033 Buckminster Dr.
Elk Grove, CA 95758
(916) 683-7445
Grades: K-6
| 836 students
Rank: #2121.
Irene B. West Elementary School
Math: 48% | Reading: 59%
Rank:
Top 30%
Add to Compare
8625 Serio Way
Elk Grove, CA 95758
(916) 683-4362
Grades: K-6
| 933 students
Rank: #2222.
Laguna Creek High School
Math: 37% | Reading: 69%
Rank:
Top 30%
Add to Compare
9050 Vicino Dr.
Elk Grove, CA 95758
(916) 683-1339
Grades: 9-12
| 2,115 students
Rank: #2323.
Joseph Kerr Middle School
Math: 49% | Reading: 55%
Rank:
Top 50%
Add to Compare
8865 Elk Grove Blvd.
Elk Grove, CA 95624
(916) 686-7728
Grades: 7-8
| 884 students
Rank: #2424.
Ellen Feickert Elementary School
Math: 47% | Reading: 55%
Rank:
Top 50%
Add to Compare
9351 Feickert Dr.
Elk Grove, CA 95624
(916) 686-7716
Grades: K-6
| 594 students
Rank: #2525.
James A.
Mckee Elementary School
Math: 48% | Reading: 54%
Rank:
Top 50%
Add to Compare
8701 Halverson Dr.
Elk Grove, CA 95624
(916) 686-3715
Grades: K-6
| 496 students
Rank: #2626.
Foulks Ranch Elementary School
Math: 46% | Reading: 56%
Rank:
Top 50%
Add to Compare
6211 Laguna Park Dr.
Elk Grove, CA 95758
(916) 686-8177
Grades: K-6
| 805 students
Rank: #2727.
Marion Mix Elementary School
Math: 42% | Reading: 56%
Rank:
Top 50%
Add to Compare
4730 Laguna Park Dr.
Elk Grove, CA 95758
(916) 509-8877
Grades: K-6
| 785 students
Rank: #2828.
Monterey Trail High School
Math: 34% | Reading: 61%
Rank:
Top 50%
Add to Compare
8661 Power Inn Rd.
Elk Grove, CA 95624
(916) 688-0050
Grades: 9-12
| 2,355 students
Rank: #2929.
John Ehrhardt Elementary School
Math: 41% | Reading: 52%
Rank:
Top 50%
Add to Compare
8900 Old Creek Dr.
Elk Grove, CA 95758
(916) 686-7259
Grades: K-6
| 835 students
Rank: #3030.
Edward Harris Jr. Middle School
Math: 39% | Reading: 53%
Rank:
Top 50%
Add to Compare
8691 Power Inn Rd.
Elk Grove, CA 95624
(916) 688-0080
Grades: 7-8
| 1,215 students
Rank: #3131.
Elk Grove High School
Math: 34% | Reading: 58%
Rank:
Top 50%
Add to Compare
9800 Elk Grove-florin Rd.
Elk Grove, CA 95624
(916) 686-7741
Grades: 9-12
| 1,854 students
Rank: #3232.
Harriet G. Eddy Middle School
Math: 38% | Reading: 49%
Rank:
Top 50%
Add to Compare
9329 Soaring Oaks Dr.
Elk Grove, CA 95758
(916) 683-1302
Grades: 7-8
| 1,091 students
Rank: #3333.
Florence Markofer Elementary School
Math: 42% | Reading: 41%
Rank:
Bottom 50%
Add to Compare
9759 Tralee Way
Elk Grove, CA 95624
(916) 686-7714
Grades: K-6
| 644 students
Rank: #3434.
Elitha Donner Elementary School
Math: 33% | Reading: 47%
Rank:
Bottom 50%
Add to Compare
9461 Soaring Oaks Dr.
Elk Grove, CA 95758
(916) 683-3073
Grades: K-6
| 699 students
Rank: #3535.
Elk Grove Charter
Charter School
Math: 10-14% | Reading: 35-39%
Rank:
Bottom 50%
Add to Compare
10065 Atkins Dr.
Elk Grove, CA 95757
(916) 714-1653
Grades: 7-12
| 240 students
Show 2 more public schools in Elk Grove, CA (out of 37 total schools)
Loading…
Elk Grove Unified School District (2022-23)
School (Math and Reading Proficiency)
Location
Grades
Students
Rank: #11.
Arnold Adreani Elementary School
Math: 81% | Reading: 84%
Rank:
Top 5%
Add to Compare
9927 Wildhawk W. Dr.
Sacramento, CA 95829
(916) 525-0630
Grades: K-6
| 831 students
Rank: #22.
Pleasant Grove High School
Math: 66% | Reading: 79%
Rank:
Top 10%
Add to Compare
9531 Bond Rd.
Elk Grove, CA 95624
(916) 686-0230
Grades: 9-12
| 2,570 students
Rank: #33.
Cosumnes River Elementary School
Math: 68% | Reading: 76%
Rank:
Top 10%
Add to Compare
13580 Jackson Rd.
Sloughhouse, CA 95683
(916) 682-2653
Grades: K-6
| 339 students
Rank: #44.
Zehnder Ranch Elementary School
Math: 66% | Reading: 75%
Rank:
Top 20%
Add to Compare
9880 Denali Cir.
Elk Grove, CA 95757
(916) 793-3300
Grades: K-6
| 1,313 students
Rank: #55.
Robert J.
Mcgarvey Elementary School
Math: 69% | Reading: 72%
Rank:
Top 20%
Add to Compare
4350 Sophistry Dr.
Rancho Cordova, CA 95742
(916) 793-3400
Grades: K-6
| 802 students
Rank: #66.
Stone Lake Elementary School
Math: 66% | Reading: 74%
Rank:
Top 20%
Add to Compare
9673 Lakepoint Dr.
Elk Grove, CA 95758
(916) 683-4096
Grades: K-6
| 718 students
Rank: #77.
Elliott Ranch Elementary School
Math: 67% | Reading: 71%
Rank:
Top 20%
Add to Compare
10000 E. Taron Dr.
Elk Grove, CA 95757
(916) 683-3877
Grades: K-6
| 687 students
Rank: #88.
Katherine L.
Albiani Middle School
Math: 60% | Reading: 75%
Rank:
Top 20%
Add to Compare
9140 Bradshaw Rd.
Elk Grove, CA 95624
(916) 686-5210
Grades: 7-8
| 1,367 students
Rank: #99.
Sunrise Elementary School
Math: 65% | Reading: 71%
Rank:
Top 20%
Add to Compare
11821 Cobble Brook Dr.
Rancho Cordova, CA 95742
(916) 985-4350
Grades: K-6
| 783 students
Rank: #1010.
Franklin High School
Math: 57% | Reading: 74%
Rank:
Top 20%
Add to Compare
6400 Whitelock Pkwy.
Elk Grove, CA 95757
(916) 714-8150
Grades: 9-12
| 2,883 students
Rank: #1111.
Carroll Elementary School
Math: 64% | Reading: 69%
Rank:
Top 20%
Add to Compare
10325 Stathos Dr.
Elk Grove, CA 95757
(916) 714-0106
Grades: K-6
| 898 students
Rank: #1212.
Roy Herburger Elementary School
Math: 62% | Reading: 70%
Rank:
Top 20%
Add to Compare
8670 Maranello Dr.
Elk Grove, CA 95624
(916) 681-1390
Grades: K-6
| 919 students
Rank: #1313.
Elizabeth Pinkerton Middle School
Math: 60% | Reading: 71%
Rank:
Top 20%
Add to Compare
8365 Whitelock Pkwy.
Elk Grove, CA 95757
(916) 683-7680
Grades: 7-8
| 1,044 students
Rank: #1414.
Franklin Elementary School
Math: 59% | Reading: 68%
Rank:
Top 20%
Add to Compare
5401 Dorcey Dr.
Elk Grove, CA 95757
(916) 684-6518
Grades: K-6
| 815 students
Rank: #1515.
Pleasant Grove Elementary School
Math: 63% | Reading: 64%
Rank:
Top 20%
Add to Compare
10160 Pleasant Grove Sch Rd.
Elk Grove, CA 95624
(916) 685-9630
Grades: K-6
| 369 students
Rank: #1616.
C. W. Dillard Elementary School
Math: 60% | Reading: 66%
Rank:
Top 20%
Add to Compare
9721 Dillard Rd.
Wilton, CA 95693
(916) 687-6121
Grades: K-6
| 388 students
Rank: #1717.
Cosumnes Oaks High School
Math: 53% | Reading: 71%
Rank:
Top 20%
Add to Compare
8350 Lotz Pkwy.
Elk Grove, CA 95757
(916) 683-7670
Grades: 9-12
| 2,075 students
Rank: #1818.
Arlene Hein Elementary School
Math: 59% | Reading: 66%
Rank:
Top 20%
Add to Compare
6820 Bellaterra Dr.
Elk Grove, CA 95757
(916) 714-0654
Grades: K-6
| 970 students
Rank: #1919.
Toby Johnson Middle School
Math: 60% | Reading: 65%
Rank:
Top 20%
Add to Compare
10099 Franklin High Rd.
Elk Grove, CA 95757
(916) 714-8181
Grades: 7-8
| 1,337 students
Rank: #2020.
Helen Carr Castello Elementary School
Math: 59% | Reading: 62%
Rank:
Top 20%
Add to Compare
9850 Fire Poppy Dr.
Elk Grove, CA 95757
(916) 686-1725
Grades: K-6
| 841 students
Rank: #2121.
Edna Batey Elementary School
Math: 57% | Reading: 62%
Rank:
Top 30%
Add to Compare
9421 Stonebrook Dr.
Elk Grove, CA 95624
(916) 714-5520
Grades: K-6
| 867 students
Rank: #2222.
Raymond Case Elementary School
Math: 53% | Reading: 61%
Rank:
Top 30%
Add to Compare
8565 Shasta Lily Dr.
Elk Grove, CA 95624
(916) 681-8820
Grades: K-6
| 806 students
Rank: #2323.
Elk Grove Elementary School
Math: 51% | Reading: 60%
Rank:
Top 30%
Add to Compare
9373 Crowell Dr.
Elk Grove, CA 95624
(916) 686-3766
Grades: K-6
| 855 students
Rank: #2424.
Arthur C. Butler Elementary School
Math: 50% | Reading: 58%
Rank:
Top 30%
Add to Compare
9180 Brown Rd.
Elk Grove, CA 95624
(916) 681-7595
Grades: K-6
| 842 students
Rank: #2525.
Joseph Sims Elementary School
Math: 53% | Reading: 56%
Rank:
Top 30%
Add to Compare
3033 Buckminster Dr.
Elk Grove, CA 95758
(916) 683-7445
Grades: K-6
| 836 students
Rank: #2626.
Irene B. West Elementary School
Math: 48% | Reading: 59%
Rank:
Top 30%
Add to Compare
8625 Serio Way
Elk Grove, CA 95758
(916) 683-4362
Grades: K-6
| 933 students
Rank: #2727.
Laguna Creek High School
Math: 37% | Reading: 69%
Rank:
Top 30%
Add to Compare
9050 Vicino Dr.
Elk Grove, CA 95758
(916) 683-1339
Grades: 9-12
| 2,115 students
Rank: #2828.
Joseph Kerr Middle School
Math: 49% | Reading: 55%
Rank:
Top 50%
Add to Compare
8865 Elk Grove Blvd.
Elk Grove, CA 95624
(916) 686-7728
Grades: 7-8
| 884 students
Rank: #2929.
Ellen Feickert Elementary School
Math: 47% | Reading: 55%
Rank:
Top 50%
Add to Compare
9351 Feickert Dr.
Elk Grove, CA 95624
(916) 686-7716
Grades: K-6
| 594 students
Rank: #3030.
James A.
Mckee Elementary School
Math: 48% | Reading: 54%
Rank:
Top 50%
Add to Compare
8701 Halverson Dr.
Elk Grove, CA 95624
(916) 686-3715
Grades: K-6
| 496 students
Rank: #3131.
Foulks Ranch Elementary School
Math: 46% | Reading: 56%
Rank:
Top 50%
Add to Compare
6211 Laguna Park Dr.
Elk Grove, CA 95758
(916) 686-8177
Grades: K-6
| 805 students
Rank: #3232.
Sheldon High School
Math: 35% | Reading: 67%
Rank:
Top 50%
Add to Compare
8333 Kingsbridge Dr.
Sacramento, CA 95829
(916) 681-7500
Grades: 9-12
| 2,598 students
Rank: #3333.
Marion Mix Elementary School
Math: 42% | Reading: 56%
Rank:
Top 50%
Add to Compare
4730 Laguna Park Dr.
Elk Grove, CA 95758
(916) 509-8877
Grades: K-6
| 785 students
Rank: #3434.
Monterey Trail High School
Math: 34% | Reading: 61%
Rank:
Top 50%
Add to Compare
8661 Power Inn Rd.
Elk Grove, CA 95624
(916) 688-0050
Grades: 9-12
| 2,355 students
Rank: #3535.
John Ehrhardt Elementary School
Math: 41% | Reading: 52%
Rank:
Top 50%
Add to Compare
8900 Old Creek Dr.
Elk Grove, CA 95758
(916) 686-7259
Grades: K-6
| 835 students
Show 31 more public schools in Elk Grove Unified School District (out of 66 total schools)
Loading…
How I hacked all the district schools to show the rickroll, and what came of it / Sudo Null IT News
One of the hijacked displays at Elk Grove High School.
Photo by Tom Tran
On April 30, 2021, the author did a rickroll in his school district. This is not only my school, but the entire city school district 214 (hereinafter – D214), one of the largest school districts in Illinois, consisting of 6 schools with more than 11,000 students.
Details are in this Friday post for the start of the course on ethical hacking.
This is not your typical rick-roll when students carry Rick Astley to presentations, talent shows or Zoom calls. I rickrolled every network display in every school to broadcast “Never Gonna Give You Up” in full sync. The TV in the hallway, the projector in the classroom, or the big screen displaying the lunch menu if they were connected to the network – I hacked them!
In this note, I will tell you how I did it and how I managed to avoid detection, and also about the consequences when I revealed myself and did not get into trouble.
Disclaimer
This post is for educational purposes only.
Don’t do anything like this without explicit permission.
Don’t do anything like this without explicit permission. We’ve prepared full documentation of everything we’ve done, including recommendations for fixing the vulnerabilities we’ve discovered. We submitted a full 26 page penetration testing report to the D214 technical department and worked with the department to help secure their network.
That being said, what we did was very illegal and other administrations could press charges. We are grateful that the administration of D214 treated this with understanding.
Big Rick
To start with, here is some footage of it all:
The first break-in
This story begins in my freshman year, when I didn’t have much technical discipline: a time that I can only describe as the beginning of my scripting childhood . I didn’t understand basic ethics or responsible disclosure and jumped for joy at every opportunity to break something.
So apparently I became curious about technology at my high school.
And by “curiosity” I mean port-scanning the entire range of intranet IP addresses.
I asked a few friends to help with this project, and oh my god, we did it! Our scan was generating so much traffic that the school inspector found out about it and at one point came to ask us to stop. Of course, we did it immediately, but by that time we had already finished scanning the first half of the address space of the 10.0.0.0/8 district – a total of 8,388,606 IP addresses.
We found various unsecured devices in the county’s network. Including printers, IP phones… and even security cameras without password authentication!
14-year-old I am looking at a camera that I remotely accessed from my iPad
And I reiterate: never gain unauthorized access to other systems without permission.
The county’s technical staff was informed of the issue, which they resolved by adding ACL restrictions. However, many devices remained connected to the student network and, more importantly for this article, to the IPTV system!
Exterity IPTV System
Before moving on, I will briefly outline the IPTV system.
It consists of three elements:
-
AvediaPlayer (receivers).
-
AvediaStream (encoders).
-
AvediaServer (management).
AvediaPlayers are small blue boxes that connect to projectors and TVs. They can send serial commands to the appropriate device to turn the display on/off, change inputs/volume, change channels, etc.
These receivers contain both a web interface and an SSH server to execute serial commands. Also, they run embedded Linux with BusyBox tools and use some obscure CPU architecture designed for IoT devices called ARC (Argonaut RISC Core).
AvediaPlayer r9300 receiver that connects to displays. Image by Exterity
Next, the AvediaStream encoders are connected to devices that are streaming video. They encode the live stream coming from these devices to the AvediaPlayer receivers that display this stream. Encoders connect to computers that need to broadcast a stream, such as text carousels or morning announcements.
They also have built-in software similar to AvediaPlayers.
Last but not least, AvediaServers allow administrators to manage all receivers and encoders at the same time. Their typical processors are x86_64 and run the enterprise Linux distribution, CentOS. Like receivers and encoders, they also have web interfaces and SSH servers.
From the first year I had full access to the IPTV system. I only messed around with it a few times and planned to pull a prank on the high school students, but it faded into the back of my mind and was eventually forgotten.
Preparation
This is the second semester of the senior year, the beginning of 2021: all schools have switched to hybrid learning due to the COVID-19 pandemic. Up to this point, face-to-face learning was optional, with most students, myself included, learning remotely. But in March, the superintendent announced that he would be switching to a non-face-to-face teaching model on April 5.
Since almost all the students had to go back to school, I realized that now is the time to organize a graduation prank with the participation of the IPTV system.
After a few days, I decided to share my thoughts with close friends.
One of the top 10 photos taken before the disaster
I gathered a small team around the area and began preparations. We started calling this Operation Big Rick.
1. C2 payload and exploit
The first thing we focused on was figuring out how to control all the projectors at the same time. Although we could send commands to each receiver using the web interface, it would not be ideal if we were spamming HTTP traffic to each receiver at the same time.
Instead, I used SSH access on each receiver (C2) as a control channel. I developed a simple script that served as a staged payload loaded into each receiver in advance. This script contained various functions that could query the web interface locally on the receiver. Due to the increased payload flexibility, I was also able to backup and restore receiver settings in the file system after a rickroll:
#!/bin/sh
# get IP address of receiver's main interface for use in HTTP requests to self
# web server is not bound to localhost, so this IP has to be used
ip_address=$(/sbin/ifconfig | grep -E "([0-9]{1,3}\. ){3}[0-9]{1,3}" | grep -v 127.0.0.1 | awk '{print $2}' | cut -f2 -d:)
# POST helper function
sendRequest() {
content=$1
length=${#content}
header="POST /cgi-bin/json_xfer HTTP/1.1\r\nHost: $ip_address\r\nContent-Type: application/json\r\nContent-Length: $length\r\nAuthorization: Basic bnVueWE6YnVzaW5lc3M=\r\ n\r\n"
echo -e "${header}" "${content}" | nc "$ip_address" 80
}
# JSON POST data to send "power on" serial command
jsonSerialPowerOn='{"params":{"TVCtrlType":"serial","serialPort":"Serial","standbyActions":"tv_off","unstandbyActions":"tv_on","ToggleDelay":"0"," serialActions":"tv_on"},"action":"apply_send"}'
# ... more JSON data payloads
# sample macro function to loop request for three minutes
exampleMacro() {
sec=180
endTime=$(( $(date +%s) + secs ))
while [ $(date +%s) -lt $endTime ]; do
sendRequest "$jsonSerialPowerOn"
sleep 10
done
}
# delete script from filesystem
selfDestruct() {
rm -- "$0"
}
# ./b1gr1ck.sh 1
if [ "$1" -eq "1" ]; then
exampleMacro
# . /b1gr1ck.sh 2
elif [ "$1" -eq "2" ]; then
selfDestruct
){3}[0-9]{1,3}" | grep -v 127.0.0.1 | awk '{print $2}' | cut -f2 -d:)
# POST helper function
sendRequest() {
content=$1
length=${#content}
header="POST /cgi-bin/json_xfer HTTP/1.1\r\nHost: $ip_address\r\nContent-Type: application/json\r\nContent-Length: $length\r\nAuthorization: Basic bnVueWE6YnVzaW5lc3M=\r\ n\r\n"
echo -e "${header}" "${content}" | nc "$ip_address" 80
}
# JSON POST data to send "power on" serial command
jsonSerialPowerOn='{"params":{"TVCtrlType":"serial","serialPort":"Serial","standbyActions":"tv_off","unstandbyActions":"tv_on","ToggleDelay":"0"," serialActions":"tv_on"},"action":"apply_send"}'
# ... more JSON data payloads
# sample macro function to loop request for three minutes
exampleMacro() {
sec=180
endTime=$(( $(date +%s) + secs ))
while [ $(date +%s) -lt $endTime ]; do
sendRequest "$jsonSerialPowerOn"
sleep 10
done
}
# delete script from filesystem
selfDestruct() {
rm -- "$0"
}
# ./b1gr1ck.sh 1
if [ "$1" -eq "1" ]; then
exampleMacro
# .
/b1gr1ck.sh 2
elif [ "$1" -eq "2" ]; then
selfDestruct This is an exemplary version of the C2 payload. In the actual payload, to keep the rickroll working, I repeated the commands multiple times. For example, every 10 seconds the display would turn on and set the volume to maximum.
This way, if someone tries to turn off the projector or mute the sound, they will come back and continue playing. There are only two ways to turn off the rickroll – pull the plug from the outlet or change the input source.
Cycling the input causes flashes even if the current source is the same as the last source. I had to rely on a failsafe input switch that activated right before the start of the rickroll to keep everyone tuned in to it. You can see this flash in the video at 48 seconds.
The vulnerabilities that were exploited to gain initial access were implementation specific (ie D214 is guilty of using default passwords). However, I discovered vendor privilege escalation vulnerabilities in all Exterity IPTV products, which allowed me to gain root access on all systems.
One of these bugs was a simple GTFO-bin, but the other two are new vulnerabilities that I cannot (and should not) publish.
2. RTP multicast stream
The next issue we tackled was setting up a custom video stream to play the rickroll in real time. We needed to broadcast multicast traffic, but due to ACL restrictions, only AvediaStream encoders or AvediaServers could do this.
Setting up the flow was perhaps the most time-consuming part of the preparation, because testing became an absolute pain. For development, I only needed one projector, but getting to it is not easy: the classrooms work all day.
So I tested at night! Connected to one of the computers in the class with a front camera pointed at the projector, recorded video to check if the projector was displaying the stream correctly.
To test the quality of the stream, I used the jumping DVD logo loop.
The latency you see in the video is one of the first problems I encountered while working with the stream.
It turned out that trying to redirect UDP traffic through AvediaStream encoders adds too much latency. I fixed this by broadcasting the multicast directly from the AvediaServer using ffmpeg. I hope I didn’t scare any of the staff!
3. Unexpected Development
It was April 27th, just three days after the Big Rick finale, when one of my colleagues discovered a new range of IP addresses full of IoT devices after scanning. It turned out to be a newly installed calling system called Education Paging and Intercom Communications (EPIC). Most of the devices in this range were speakers installed in hallways, classrooms, etc.
Just as AvediaPlayers are connected to AvediaServers, each speaker connected to their school’s EPIC server. The web interface of these servers was hidden behind the login page.
The default credentials were only used on one EPIC server. We were able to change the call schedule as we wished, as well as upload custom sound alerts. And were able to change the calls to play “Never Gonna Give You Up”.
Admin access to the bell system
We only had access to this particular school’s EPIC system, as it was the only one with vulnerable credentials.
But I discovered that the EPIC server we hacked backed up its configuration weekly to an external SMB file share. The credentials for this SMB server turned out to be the same as the default credentials on the EPIC system. Each backup contained an SQL dump of usernames and password hashes.
What if other EPIC systems also have backup servers? And since these standby servers are separate from the EPIC servers, they can still use the default credentials.
That’s exactly what happened! From there, I was able to access the password hashes for other EPIC servers and determine the local administrator account available on all EPIC servers. After cracking the password, we got control of all call schedules in the area!
Performance
One of our main priorities was to avoid disruption of class, meaning we could only do a draw before class, during breaks or after class.
Before the pandemic, some classes started earlier, some later, some had a block schedule, and some had all lessons on the same day. Conveniently, due to COVID-19, all high schools in the district have moved to a single block schedule, so we didn’t have to worry about scheduling for each school.
One more thing – final exams were just around the corner. The biggest concern was standardized testing, which will not have interruptions. We chose April 30, which was the Friday before the start of the advanced course exams. We also conducted an extensive survey to find out if there were any meaningful testing that took place on that day. We were fully prepared to cancel everything if we knew that standardized testing was being carried out.
A few weeks before Big Rick, we installed the C2 payload on all AvediaPlayers in automatic mode, carefully spraying our activities to avoid detection. On Big Rick’s day, we used two of the seven AvediaServers as C2 masters that connected to all the AvediaPlayers and executed the payload.
The following is a timeline of events on April 30:
Chronology of events
10:40. The rickroll stream starts with a 20 minute countdown.
10:55. Avedia player systems initialize, displays turn on and active channel changes to rickroll stream.
11:00. The thread ends its countdown with a rickroll at the end of the first block.
11:10. Payload restores AvediaPlayer systems to their previous state and deletes itself.
14:05. At the end of the third block, a rickroll plays instead of a bell.
14:15. Penetration test report automatically sent to technical managers.
15:25. Another substitution call started. If the area technicians still haven’t figured out what happened to get the calls back, a 1-minute version of the 3-second end-of-day chime will ring at the end of the day, [i.e. the bell will ring 20 times longer].
They figured it out, so I’ve included the audio file here so you can enjoy it too:
Audio
Aftermath
A few days after the anonymous email report was sent, we received an email response from the D214 CTO. The director stated that because of our recommendations and documentation, the district will not take disciplinary action. Moreover, he thanked us for our findings and asked us to provide a report to the technical team. Later, he said that the leaders themselves checked our report and were impressed by it.
I was delighted that the administration was open to correcting their problems and auditing with us. Although the administration of D214 declared good intentions (and indeed held to them in the future), my peers did not trust them and were skeptical about the true nature of the meeting – one of them called the whole thing a special operation!
We decided that at the Zoom meeting I would reveal myself to present slides for debriefing and the rest would remain anonymous.
I planned to announce my participation from the very beginning, as I wanted to publish this blog post. But just in case, I scheduled a debriefing for time after graduation.
Yes, this is a real slide from our briefing. Don’t @ me [I don’t care what you think]
Seriously, the debriefing went very well and was productive for everyone. We answered clarifying questions from the technical team and provided additional troubleshooting tips. We even managed to get the county to consider expanding the IT/cyber security program and hopefully sponsoring CTF in D214. This is one of the most amazing experiences of my life in high school and I thank everyone who supported me. That’s all, and thanks for reading.
If you’re from D214 and have any videos, photos, or social media posts about the rickroll, send them to me and I’ll share them below with a mention.
Video from nitw_t .
What did you hack into your school? Share in the comments.
Continue your immersion in IT to learn how to solve business problems with our courses:
-
Profession Ethical Hacker
And
-
DevOps course
-
All courses
The RAEX rating agency (RAEX-Analytics) has published the eighth annual rating of schools in which they were evaluated by the number of graduates who entered the best universities in Russia. SESC NSU took the fifth place in the ranking, and also improved its position in the top 10 schools in terms of the competitiveness of graduates in the field of “Technical, natural sciences and exact sciences”.The annual rating of schools by the number of graduates enrolled in the country’s leading universities answers the question: which schools are the largest suppliers of students for the best universities in Russia? The list of the 300 best schools in Russia by the number of graduates enrolled in the leading domestic universities reflects the absolute number of school graduates who entered universities from the top 50 ranking of Russian universities RAEX 2020 and 2021.
This list is formed without adjustment for the number of graduating classes and reflects the contribution of schools to the quality preparation of applicants.
In the list of 300 schools, the SSC NSU ranks 5th, second only to the leading Moscow schools. During the year, the Novosibirsk PMS moved up one position in the rating. For several years in a row, the Higher School of Economics Lyceum has been the leader in the ranking of the 300 best schools in Russia, the Bauman Engineering School No. 1580 is in 2nd place, and the Specialized Scientific and Research Center of Moscow State University is in 3rd place.
The Novosibirsk region is represented in the rating by 9 schools, four of which are located in Akademgorodok. The 76th position in the ranking is occupied by the Lyceum No. 130, the 84th by the NSTU Engineering Lyceum. At 91st place – Gymnasium No. 1, 96th – Gymnasium No. 6 “Ermine”, Gymnasium No. 3 in Akademgorodok (194) entered the second hundred of the rating, the Second Novosibirsk Gymnasium (231) was in the third (231) Lyceum of Information Technologies (241) and Aerospace Lyceum (254).
For the fourth year in a row, the SESC NSU leads the top 20 schools in the Siberian Federal District. The 2nd and 3rd places in Siberia were retained by the Lyceum at TPU and Lyceum No. 84 named after V.A. Vlasov in Novokuznetsk.
RAEX also compiled ratings of the best schools in Russia in the integrated areas of training. The results of these ratings reflect the number of graduates who entered the budget departments of Russia’s leading universities in various areas. SESC NSU took 8th place in the direction of “Technical, natural sciences and exact sciences” (in 2021 – 10th place).
In the ranking of the best Russian schools in terms of competitiveness of graduates prepared by the agency, NSU SESC took 11th place, having risen by two positions over the year. The leader, as in last year’s ratings, remains the SESC MSU. This rating ranks schools based on their success in entering the strongest universities in Russia, showing which schools have the highest concentration of minds.
Unlike the ranking of the top 300 schools, the schools in the list are ranked based on the number of graduating classes.
The school survey has been conducted by the RAEX agency since 2015. The new rankings are based on exclusive information provided by leading universities on admission campaigns in 2020 and 2021. We used data from 47 out of 52 universities that were in the top 50 RAEX university rankings in 2020 or 2021. In total, the agency processed information about 220 thousand graduates. The final score of schools was also influenced by the level of universities where graduates entered and the basis for enrolling an applicant (on a budgetary basis according to a general competition, on a paid basis, according to a target recruitment or without entrance examinations based on the results of Olympiads).
SUNC NSU (formerly FMS at NSU) was established on August 23, 1963 at the suggestion of Academician M.A. Lavrentiev. The purpose of the school is to identify children who have shown inclinations and abilities to study mathematics, physics, and later chemistry and biology, and to create conditions for the development of the creative abilities of schoolchildren, their independence, and interest in scientific activities.
This list is formed without adjustment for the number of graduating classes and reflects the contribution of schools to the quality preparation of applicants.
Unlike the ranking of the top 300 schools, the schools in the list are ranked based on the number of graduating classes.
