- author: IppSec
Explaining the Ad Server in the Sands Holiday Hack Challenge 2016
The Use of WebSockets and DDP
Fortunately, for this challenge, a tampermonkey script was already written by Tim Medine that would help us mine data out of media. Firstly, we need to install tampermonkey, and because the Firefox version that comes with Kali is not compatible with it, we need to get a later version of Firefox. This process can be done by visiting the Firefox website and downloading the latest version available. Once installed, we can extract it and then close Firefox. After this, we need to open the Firefox bin file and run Firefox again. We can then install tampermonkey and then the tampermonkey script written by Tim Medine.
To install Tampermonkey, follow these steps:
- Go to Firefox and search for tampermonkey
- Install tampermonkey
- Go to mining media on github
- Click on the media. js file and copy everything
- Create a new script
- Paste the copied information
- Use the Github URL as the update URL and click save
By following the steps above, we have installed tampermonkey successfully. Now we need to see what happens when we browse the ad server.
Once we have installed the tampermonkey script, the next step is to mine data from media. By visiting ads Northport Wonderland com and logging in, we can see media miner pop up telling us interesting information such as the Ralphs, which tells us about in-home quotes. We can see that there are four columns or records, and home quotes have different URLs such as "/admin/quotes," which looks relatively interesting. Since we cannot just click on a record and see the actual data, we will open up Firefox's developer tools by clicking on f12, and then clicking on console followed by home quotes. By entering home quotes dot find dot fetch, we will get the results, and then we can highlight and copy this information. By pasting it back into ads, we can view and analyze the challenge.