Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
There is a puzzle embedded in this page... (weebly.com)
40 points by drusenko on Nov 11, 2010 | hide | past | favorite | 48 comments


Weebly folks: if you really want to recruit decent front-end people, please put this puzzle on a page that isn't chock-full of table-based layout, inline styling, and other icky crap.


OK, fair enough. Eliminated the two unnecessary table-based layouts and removed the inline CSS.

There is still a bit of inline CSS left, but that's generated by code.


Good man. Thanks!


Thats how you know that you are really needed.


Can't figure out which packet to send and in what format (hex? binary?) :(

Update: Wow! Can't believe I actually spent 20 minutes with Wireshark trying to reply with the actual TCP packets that were next in the handshake sequence.

Update 2: Finally solved it :) Pro-tip: keep it simple.


You're not alone; I tried doing the exact same thing when I saw "Reply back with the next packet in the handshake sequence as parameter 'msg'"


My first thought too but then I figured I'll go for broke and try the simplest thing possible.


Solved it! That customer support position is so mine.


    #!/ova/fu -r

    HEY="uggc://jjj.jrroyl.pbz/jrroyl/choyvpOnpxraq.cuc?"
    QNGN="cbf=fbyirchmmyr"

    # Gvzrfgnzc nhgu
    GVZRFGNZC=$(phey -f -i -q $QNGN $HEY 2>&1 | terc "Qngr:" | phg -p 9- | ehol -egvzr -r "chgf Gvzr.cnefr($<.ernq).gb_v")

    # FLA-NPX nhgu
    QNGN+="&nhgu=$GVZRFGNZC&zft=FLA-NPX"
    ZQ5=$(phey -f -q $QNGN $HEY | rterc ^[n-s0-9]+)

    # ZQ5 penpx
    # (uggc://jjj.bcrajnyy.pbz/wbua/)
    ARKG=$(rpub $ZQ5 | ~/Qbjaybnqf/wbua-1.7.6-*/eha/wbua --sbezng=enj-ZQ5 /qri/fgqva --fubj | terc "?:" | phg -q ':' -s 2)
    QNGN+="&arkg=$ARKG"

    # Onfr64
    phey -f -q $QNGN $HEY | rterc ==$ | onfr64 --qrpbqr

    # ... bx, fb abj jr'er xvaqn purngvat.
    ZNTVP_AHZORE=$(phey -f "uggc://pqa1.jrroyl.pbz/yvoenevrf/fvtahc.wf?ohvyqgvzr=1289442390" | terc "ine o =" | rterc -b "[0-9]+")

    rpub gur_nafjre_vf_$(rpub "$ZNTVP_AHZORE * 2" | op)


In case anybody is confused: There is a puzzle embedded in our jobs page (http://www.weebly.com/jobs.html).

It's not meant to be incredibly difficult, just fun and challenging enough to take 30 minutes or so.


Dear Weebly, please come up with a new puzzle. This is now at least the 3rd time I've seen your puzzle. Time for a new one.


Spoiler alert - don't read more of this comment if you want to solve it yourself.

Almost all of the solution in Haskell (except for the bit about extracting the actual answer from the Javascript); it's probably not what they intended, since the job is for a web-dev, but most of us here are probably just doing it for fun. I found the bit about guessing what string was hashed to make the MD5 the hardest, because it was basically just pure brute force (I didn't know what timezone it was in or what date format was used - so the hint wasn't very helpful).

    import Network.URI
    import Network.HTTP
    import Data.Maybe
    import Data.Time.Clock.POSIX
    import Data.Time.LocalTime.TimeZone.Olson
    import Data.Time.LocalTime.TimeZone.Series
    import Data.Time.Clock
    import Data.Time.LocalTime
    import Data.Time.Calendar
    import Text.Printf
    import Control.Monad
    import Codec.Binary.Base64.String

    main = do
      -- Is there a more portable way to do this?
      pdtTZS <- getTimeZoneSeriesFromOlsonFile "/usr/share/zoneinfo/America/Los_Angeles"
      pdtTime <- liftM (utcToLocalTime' pdtTZS) getCurrentTime
      let next = printf "w%02d%02d" ((\(_, _, d) -> d) . toGregorian . localDay $ pdtTime) (todHour $ localTimeOfDay pdtTime)
      ts <- getPOSIXTime
      let str = urlEncodeVars [("pos", "solvepuzzle"),
                               ("auth", show ts),
                               ("msg", "SYN/ACK"),
                               ("next", next)]
      r <- simpleHTTP (Request (fromJust $ parseURI "http://www.weebly.com/weebly/publicBackend.php")
                                  POST
                                  [Header HdrContentLength  (show $ length str),
                                   Header (HdrCustom "X-Requested-With") "XMLHttpRequest",
                                   Header (HdrCustom "X-Prototype-Version") "1.7_rc1",
                                   Header HdrContentType "application/x-www-form-urlencoded"]
                                  str
                      )
      case r
        of
          Left err -> print err
          Right b -> do
            putStrLn (decode . rspBody $ b)


Didn't notice the pattern on "next." I presumed it was based on the time but after cracking it I moved on.

Nice. :-)


you could just search Yahoo! for the md5 sum and it gives you the answer on the search results page.

Also, it's easier to just do the whole thing in firebug by rewriting the javascript on the page. The only thing I couldn't figure out was, what do you do when you get to 42?


besides that 42 would be all you need to know about everything, searching yahoo only works for well known hashes, it won't work for an arbitrary hash like this.


I solved this a while back and posted my results on Twitter.

[SPOILER: DON'T FOLLOW IF YOU WANT TO TRY IT YOURSELF FIRST]

http://yfrog.com/mto4sp

I'm not sure if this was the expected output, as there was no exact confirmation. But I assumed it was right.


That's not the end of the puzzle... It's also changed a bit since the last time you worked on it :)


SPOILER ALERT - Hey guys after a while of searching i couldn't find any site that could crack the hash for me my result is 9e0a70f64a9b39a9f216417e70664529 here i could find a Result: http://www.cmd5.org/ Result: w1113 but when i submit that i get this message

ZXZhbHVhdGUgdGhlIGZvbGxvd2luZzogIGFsZXJ0KCdUaGUgc2VjcmV0IGNvZGUgaXM6ICcrYStkKyhjKyJfIikrKGIqMikpOwo== (This isn't the solution...)

which obviously tells me i got it wrong, not trying to apply for the position, just liked the puzzle, and i was curious about what other techniques are they, that don't require the GPU attack, or JtR which is priced at $180


You're actually on the right track!

You now need to decode the string that came back...


So the md5, its based on a timestamp right? Cant figure that bit out.


I think it just depends on the hour.


God bless rainbow tables.


Not working for me. Did you use a numerals character set?


A brute force GPU crack took about 1.5 seconds.


Overkill but I'm interested in how you did it.


http://www.elcomsoft.com/lhc.html

Nothing custom


That's really impressive -- a $225 GeForce 9800GX2 graphics card can buy you an MD5 brute force speed of 600M tries per second.


If you don't have an nVidia GPU handy, John the Ripper can also work: http://www.disenchant.ch/blog/teaching-john-the-ripper-how-t...


A simple google search for an online crack will also do just fine.


A brute force CPU attack took even less. A stock version of john the ripper will work just fine.


a search on Yahoo! took even less.


>A brute force CPU attack took even less.

I suppose it depends upon the password and the complexity. However my lowly GTX460 was cracking 600 million hashes a second.

Another poster mentioned yahoo -- the hash I drew (it changes hourly) was not on Yahoo, or Google, or rainbox table search engines. So that point is irrelevant (yes, of course the first check is search engines. But if it's not there you kind of have to move on). For the record, given that it changed, it was bb421ba20e679cc36ecae553c02cf948.


I did the puzzle you guys had a couple years ago when I was a grad student, and I just finished doing this one. I was sorta disappointed the secret hadn't changed, so if I were to email you it now, you couldn't tell if I had solved the current puzzle, or just archived the previous secret.


I always enjoy a puzzle. This reminds me of when I had free time and spent days on notpron.


How far did you get? I personally never put in much effort, I remember getting to level 10


I end up with some reference to H2G2, but can't figure out if that's the end. I can't find any next step from there, so I don't know if that's it.

(NB: not trying to spoil the puzzle, just confused by the next step)


Took me 10 minutes to solve the puzzle (i love puzzles) but I'm not too keen on the job posting (still in college and want to finish it). Thanks for the fun but sorry.


This was 2 points earlier tonight. Can who ever down-voted it please tell me why?


It's a neat way to see if people have a modicum of javascript and Ajax knowledge. Good on you Weebly.


That was fun. I live in the wrong country and don't need a new job though :)


Is the accepted way to figure out the 'next=' step brute forcing the hash?


It takes a few seconds, so I think it's alright.


Sneaky of you to hide b and c there.


cant get past the alert thing


[deleted]


What the hell dude? Why are you ruining it for other people?


When you put a puzzle online, people who solve it have to somehow say "I am not stupid. I demonstrate my non stupidity by solving that puzzle".

On that note...I too solved that puzzle! I, too, am not stupid!

Though seriously puzzles like this need to not underestimate the takers. I think many, when met by the syn bit, immediately started going down the process of actually constructing a custom handshake with their server, before perhaps thinking "Nah, not worth the trouble".


Good point. I forgot that internet anonymity makes 20 something males into chest thumping chimps.


Semi-spoiler: http://imgur.com/h4UBS.png

Fun puzzle




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: