How I Breached a Live Surveillance System in Under 10 Minutes

Last weekend, I was out with some friends from the cybersecurity community. As the evening unfolded, one friend threw down an interesting challenge: he bet anyone at the table a sum of money if they could exploit his old CCTV monitoring system. This system was accessible via a web interface, managing 12 camera feeds.

Naturally, being curious and competitive, I accepted the challenge without hesitation.

Finding My Way In

My first step was to find the IP address of the CCTV system. After some digging, I realized the system was accessible publicly—not restricted to his private network. This discovery made my job easier: I just had to enter the IP address in my browser, and there it was—a straightforward login page asking for a username and password.

SQL Injection to the Rescue

I immediately began checking the login form for SQL injection vulnerabilities. It didn't take long to discover the login system was vulnerable to a Boolean-based Blind SQL Injection.

Using some basic payloads, I quickly bypassed the login completely:

' OR 1=1 --

And just like that—I was inside.

Inside the Surveillance System

Upon entering, the full interface appeared on-screen: 12 camera feeds, all clearly labeled and streaming in real-time. The system even offered options to manage the feeds, including an alarming "Shutdown Feed" button next to each camera.

But shutting down individual camera feeds seemed too ordinary—I wanted something more dramatic to secure my victory.

Taking It a Step Further

I searched for a vulnerability to completely disable the CCTV system and bring down the entire website simultaneously. Digging deeper, I found the web application was vulnerable to a simple Denial-of-Service (DoS) attack due to poor handling of repeated requests on certain endpoints (vulnerable to rapid repeated GET requests causing overload).

I quickly crafted a small Python script to rapidly send requests to this vulnerable endpoint:

After running this quick test, both the CCTV feeds and the web interface immediately went offline.

Mission accomplished.

🎉 Claiming Victory

I proudly showed my friend exactly how I'd exploited his vulnerable surveillance system. Not only was he impressed, but I also walked away with the prize money—and more importantly, bragging rights among my cybersecurity friends.