From Oversight to Ownership: How I Discovered the Path to Root on ISP’s Multiple Servers

3 min readSep 19


Hey, I’m Hektor Avdyli, a security researcher with a passion for uncovering security flaws. In this post, I’ll be sharing a unique experience where I gained control of an Internet Service Provider (ISP) through black-box testing. To maintain confidentiality, I’ll be using pseudonyms and fictional IPs. Join me as I break down the steps.

I would like to clarify that I had explicit authorization from the ISP’s chief to conduct the security testing discussed in this article.


As mentioned previously this test was conducted in a black-box manner, meaning I had no insider knowledge of the ISP’s infrastructure, network architecture, or system configurations. My sole point of entry was the public-facing website hosted on (do consider im using and it’s IPs to maintain discretion and protect the involved parties).

Fictional Domain:

Fictional Ip:

Identifying the Misconfiguration

As usual my next step was to dive headfirst into the web of

I went through a thorough process of looking for potential vulnerabilities. This involved using various tools and techniques, both automated and manual.

During my investigation, I did find a few outdated libraries within the website. However, after a closer look, I realized that these issues, although important to address for security reasons, didn’t give me the kind of access I needed to the ISP’s servers. It was a bit of a setback, there i drew blank i didn’t know where to look or what to look, took little break and went back, then it hit me he mentioned an “ISP Management Panel”. Started again to look on my scans but nothing that had to do with the Panel, thought that it might not be hosted at, still there were no subdomains of that kind.

At this point i thought this it, just few out-dated libraries, Blind-XSS and info.php leaked.

As i was Google Dorking i stumbled upon IP addresses on, I realized I could dig deeper. I thought that finding out which devices were currently online in a group of IP addresses could give me more information about the Control Panel. So, I used a tool “Angry IP Scanner” to do just that.

Angry IP Scanner is a handy utility designed for network discovery. It allows you to scan IP address ranges to identify active hosts and open ports. In my case, it became a valuable tool to uncover live hosts within the IP ranges I encountered on

I set the range from to

Active IP addresses
Active IP addresses

I went with the port 80, where i finally found the Control Panel hosted at the, with much excitement started again testing manually and automated.

Not update since 2021 multiple blind sqli, xss, Auth Bypass.

First thought that this may not still be in use since, then used gobuster, found an interesting /backups directory, fascinating i found there the / and / After downloading the files i found the root:password at the file and boom im in! full root user not just at the Control Panel, but the password was used in multiple other servers(,isp servers etc) , had full access at the mysql (databases,client_tables, encrypted_passwords, etc)

The root ssh connection to the ISP server

With this final run i stopped the test and started writing the report immediately.

I assessed the weaknesses as high-risk, indicating a significant potential impact on security. Which included: Information Leak, Out-dated (Software, OS, Libraries), SQLI, XSS.

Thank you for joining me on this journey. Let’s continue to explore, learn, and grow in the ever-evolving realm of cybersecurity.