Páginas

miércoles, 2 de enero de 2013

How to hack a contest

During the last two weeks until the end of the year there was a contest on the Youth Card of Madrid webpage about finding their mascots dressed as the Three Wise Men.

The fact is that I have been looking for them and only found two of them, so I decided to make a mirror of the page and looking for locally... just to find that in fact there were only two of them ¬¬ After sending them an email to know if it was a bug or a bad trick, they confirmed me that the third one only will appear from time to time since she (it's the girl with glasses ;-) ) is very shy, but will appear at least one time until the end of the year on the morning. I didn't wanted to be pushing F5 all the time but I want to win one of the prices, so I decided to do it my way.

Challenge accepted

The first of all is to be able to know how to identify if one of the mascots is on the page, so when I founded one of them, quickly I went to the Chrome Inspector to look on the page content, seeing references to a nice "navidad2012" folder and that the animated icons where made on Flash. Now I know what to look for, so now it's time to know where to look for. Since the page is mainly static (bizarre, I know, but what would you expect from a gubernamental institute? :-D ), for this I've made a mirror of the website on my local harddisk using wget so I could be able to look on their files for that string. Since wget show a lot of output, I'll silence it with the quiet argument:
wget -mq http://$BASE_URL
and later, searched on all the files using grep looking for the previous checked folder and for the Flash files, getting only the path of the files that have them:
grep -lR 'navidad2012/.*\.swf' $BASE_URL/*
Now it's time to get notified by mail when the pages where found. This was a little bit complicated since GMail protect itself for sending spam, so some additional config steps are required so we send the emails authentificated with our own account. First of all, we need to install the mailutils package for the mail command and ssmtp package for the output mail server:
sudo apt-get install mailutils ssmtp
and later configured the smtp server following these instructions (I didn't need to follow the steps regarding removing sendmail, so maybe it's not yet necesary at all). After that, we now are able to send emails from the command line (content is introducced via the standard input):
mail -s "$BASE_URL" "$EMAIL"
But receiving an email each time it checks it is not a good idea since we are only interested to check it when we have the Three Wise Men, so we'll check it before:
FILES=$(grep -lR 'navidad2012/.*\.swf' $BASE_URL/*)
WISE_MEN=$(echo "$FILES" | wc -l)

if [ $WISE_MEN -eq 3 ]
then
   ...
if
Now it's time to let this run each 5 minutes. A simple infinite loop and sleep would be enough, but removing the useless files if we didn't found what we wanted would be nice (after being sure to don't remove them using break on the condition)...:
while :
do
   ...
   rm -r $BASE_URL
   sleep 5m
done
Et voilá! Now it only needs to add some echo messages to now how it's working when I'm on the machine (mainly studying for the exams I have after holydays... ¬¬), remove all data before starting to work, a shebang and execution permissions and now I can be able to go to the gym without worrying to don't get the prize :-D

Full code of the script:
#!/bin/bash

BASE_URL=www.carnejovenmadrid.com
EMAIL=piranna@gmail.com

rm -rf $BASE_URL

while :
do
    wget -mq http://$BASE_URL
    FILES=$(grep -lR 'navidad2012/.*\.swf' $BASE_URL/*)
    WISE_MEN=$(echo "$FILES" | wc -l)

    if [ $WISE_MEN -eq 3 ]
    then
        echo
        echo "*** FOUNDED 3 WISE MEN!!! ***"
        echo "$FILES"

        echo "$FILES" | mail -s "$BASE_URL" "$EMAIL"
        break
    fi

    echo "Only found" $WISE_MEN "wise men at"
    echo "$FILES"
    echo "Removing files"
    echo

    rm -r $BASE_URL
    sleep 5m
done