This is Prashant Singh, a cybersecurity geek with a deep passion for exploring and securing technologies. This is my second write-up after 4 long years. A small but heartfelt contribution to the community that has inspired me all along.

I get a lot of messages and queries asking:
“How do you even start pentesting? What’s the right way to approach it? Why don’t I ever find bugs?”

If you’ve ever been stuck with those same doubts, this story might give you a different perspective — not about where to look, but about how to think.

Curiosity Sparked on the Couch

One lazy evening, I was staring at my TV and suddenly wondered:
How do ISPs actually provide IPTV services to end customers? What exactly does this mysterious set-top box do?

The device itself looked simple enough: a power socket, USB ports for local playback, and an Ethernet port that connects to my router.

But my instinct told me — there’s more under the hood. And I was right.

Challenge #1: Getting Inside the Box

These IPTV boxes run on Android OS with custom apps built by the ISP. My first goal was simple: get into the system and extract those APKs.

ADB (Android Debug Bridge) was my tool of choice. But there was a catch — the default interface of the smart box runs inside a sandboxed environment, meaning I couldn’t access core system services.

A few months earlier, I’d seen a video on LinkedIn showing how someone bypassed a kiosk sandbox on Stripe’s devices. Have a look: Link

Inspired, I tried a similar trick. I bypassed the sandbox, enabled Developer Options, and turned on USB Debugging.

Now it was game time.

Challenge #2: Connecting via ADB

I tried connecting to the smart box using its IP. No luck.

Ater thinking for hours. Then, a memory hit me: The first time the ISP technician visited for installation, he insisted — “Always plug the IPTV into port 2 on your router.”
I was always wondering why port 2?

Later, when I checked my router’s config, I discovered the answer: Port 2 was mapped to a separate VLAN reserved for IPTV traffic. This VLAN had special QoS rules so the IPTV always got priority bandwidth.

That also explained why the set-top box had an IP address outside my home network. To fix that, I moved the cable to Port 1. Now the box shared the same subnet as my local devices.

This time, ADB connected instantly.

Challenge #3: Extracting and Reversing the Apps

Listing installed packages, I quickly identified the APKs responsible for live streaming and account management. Extracting them was easy.

But intercepting traffic wasn’t — SSL pinning was enabled. I often use apk-mitm and android-unpinner to quickly bypass pinning.

Then reinstalled the modified APKs on my Android phone. With BurpSuite running, I could finally see the traffic.

The problem? The apps immediately asked for login credentials I didn’t have. Dead end. Or so it seemed.

Breakthrough: Installing Back on the Smart Box

I decided to take a different route: install the SSL-unpinned version of the app back onto the smart box itself. This way, I could use BurpSuite directly with the TV.

For this, I installed Burp’s certificate on the smart box (thanks to the earlier sandbox bypass). Now all traffic was flowing through my proxy.

The “Support Trick”

Still stuck at the login screen, I got a little creative. I raised a support ticket with my ISP, claiming I couldn’t access my TV.

When the technician visited, he logged into my account right in front of me — and all those requests were being proxied through my BurpSuite. Jackpot.

The credentials shocked me:

• Username: My smart box’s MAC address
• Password: admin@123

That’s right. Default password + device MAC = instant access.

From My Account to Everyone’s

Here’s the bigger problem:

• MAC addresses are just 12 hex digits.
• The first 6 are the manufacturer’s prefix.
• The last 6 are unique per device.

So by keeping the prefix the same and fuzzing the last six digits, I could log in as other subscribers. And it worked.

Each login returned a JWT token, which granted access to backend APIs.

One endpoint returned .m3u8 playlist links like this:

https://<redacted>.<redacted>.com/sportTV_HD_HLS/playlist.m3u8?wmsAuthSign=...

I wrote a simple client script to play any channel I wanted — even without an active subscription.

Impact

This chain of flaws meant:

1. Weak default credentials allowed anyone to log in.
2. Predictable usernames (MAC addresses) made account hijacking trivial.
3. Persistent .m3u8 links allowed unlimited free streaming, even after subscription expiry.

In short, the ISP’s entire IPTV infrastructure could be abused at scale.

Responsible Disclosure

Before sharing this story publicly, I responsibly reported the vulnerabilities to the ISP. I made sure they understood the risks.

The goal of this article is not to encourage misuse, but to highlight how insecure defaults and overlooked configurations can create massive security gaps.

If you’re an ISP or service provider reading this — review your IPTV infrastructure, harden account authentication, and ensure streaming tokens behave as intended.

Key Takeaways

• Think differently. Pentesting isn’t just running tools — it’s connecting dots others ignore. VLANs, router configs, technician habits — every detail can matter.
• Abuse default setups. Weak defaults (admin@123) are still everywhere.
• Chained bugs amplify impact. Each individual issue wasn’t catastrophic. Together, they were.

Final Thoughts

What started as me wondering “how does this little box even work?” turned into a full exploitation chain that exposed how fragile IPTV setups can be.

So next time you feel stuck in your pentest, remember:
It’s not just about what tools you run. It’s about what questions you ask.