• author: IppSec

Explaining the Ad Server in the Sands Holiday Hack Challenge 2016

In this guide, we will discuss how to analyze the ad server in the Sands Holiday Hack Challenge 2016. The answer to this challenge was Xhosa ads North Pole wonderland com. This was found by analyzing the APK file or browsing the website where the answer was coded in the media JavaScript framework.

The Use of WebSockets and DDP

The media JavaScript framework is unique because it depends purely on WebSockets and DDP, the distributed data protocol, and not HTTP GET Sant Post that you may be used to. One of the advantages of using this is that it creates real-time web applications. Whenever we click something, we do see the WebSockets go click out going incoming, thus creating an immediate reaction online. Since it is different than most websites, whenever we try to log in or post, it will not be seen and is all performed in WebSockets.

TamperMonkey Script

Fortunately, for this challenge, a tampermonkey script was already written by Tim Medine that would help us mine data out of media. Firstly, we need to install tampermonkey, and because the Firefox version that comes with Kali is not compatible with it, we need to get a later version of Firefox. This process can be done by visiting the Firefox website and downloading the latest version available. Once installed, we can extract it and then close Firefox. After this, we need to open the Firefox bin file and run Firefox again. We can then install tampermonkey and then the tampermonkey script written by Tim Medine.


To install Tampermonkey, follow these steps:

  1. Go to Firefox and search for tampermonkey
  2. Install tampermonkey
  3. Go to mining media on github
  4. Click on the media. js file and copy everything
  5. Create a new script
  6. Paste the copied information
  7. Use the Github URL as the update URL and click save

By following the steps above, we have installed tampermonkey successfully. Now we need to see what happens when we browse the ad server.

Analyzing Data

Once we have installed the tampermonkey script, the next step is to mine data from media. By visiting ads Northport Wonderland com and logging in, we can see media miner pop up telling us interesting information such as the Ralphs, which tells us about in-home quotes. We can see that there are four columns or records, and home quotes have different URLs such as "/admin/quotes," which looks relatively interesting. Since we cannot just click on a record and see the actual data, we will open up Firefox's developer tools by clicking on f12, and then clicking on console followed by home quotes. By entering home quotes dot find dot fetch, we will get the results, and then we can highlight and copy this information. By pasting it back into ads, we can view and analyze the challenge.


In conclusion, the ad server in the Sands Holiday Hack Challenge 2016 used the media JavaScript framework that depended purely on WebSockets and DDP, not HTTP GET Sant Post, to create a real-time web application. With the help of a tampermonkey script written by Tim Medine, it was possible to mine data out of media. Analyzing and understanding this data is essential in solving challenges in the hacking world, and this guide has shown how to do it step-by-step.

Previous Post

How to Complete the Dungeon Serve in the Sands Holiday Hat Challenge 2016

Next Post

Maximizing Your Winnings: A Guide to Playing High Limit Slots

About The auther

New Posts

Popular Post