
There is a puzzle embedded in this page... - drusenko
http://www.weebly.com/jobs.html#
======
kentbrew
Weebly folks: if you really want to recruit decent front-end people, please
put this puzzle on a page that isn't chock-full of table-based layout, inline
styling, and other icky crap.

~~~
drusenko
OK, fair enough. Eliminated the two unnecessary table-based layouts and
removed the inline CSS.

There is still a bit of inline CSS left, but that's generated by code.

~~~
kentbrew
Good man. Thanks!

------
olalonde
Can't figure out which packet to send and in what format (hex? binary?) :(

Update: Wow! Can't believe I actually spent 20 minutes with Wireshark trying
to reply with the actual TCP packets that were next in the handshake sequence.

Update 2: Finally solved it :) Pro-tip: keep it simple.

~~~
alex1
You're not alone; I tried doing the exact same thing when I saw "Reply back
with the next packet in the handshake sequence as parameter 'msg'"

------
thought_alarm
Solved it! That customer support position is so mine.

------
quadhome

        #!/ova/fu -r
    
        HEY="uggc://jjj.jrroyl.pbz/jrroyl/choyvpOnpxraq.cuc?"
        QNGN="cbf=fbyirchmmyr"
    
        # Gvzrfgnzc nhgu
        GVZRFGNZC=$(phey -f -i -q $QNGN $HEY 2>&1 | terc "Qngr:" | phg -p 9- | ehol -egvzr -r "chgf Gvzr.cnefr($<.ernq).gb_v")
    
        # FLA-NPX nhgu
        QNGN+="&nhgu=$GVZRFGNZC&zft=FLA-NPX"
        ZQ5=$(phey -f -q $QNGN $HEY | rterc ^[n-s0-9]+)
    
        # ZQ5 penpx
        # (uggc://jjj.bcrajnyy.pbz/wbua/)
        ARKG=$(rpub $ZQ5 | ~/Qbjaybnqf/wbua-1.7.6-*/eha/wbua --sbezng=enj-ZQ5 /qri/fgqva --fubj | terc "?:" | phg -q ':' -s 2)
        QNGN+="&arkg=$ARKG"
    
        # Onfr64
        phey -f -q $QNGN $HEY | rterc ==$ | onfr64 --qrpbqr
    
        # ... bx, fb abj jr'er xvaqn purngvat.
        ZNTVP_AHZORE=$(phey -f "uggc://pqa1.jrroyl.pbz/yvoenevrf/fvtahc.wf?ohvyqgvzr=1289442390" | terc "ine o =" | rterc -b "[0-9]+")
    
        rpub gur_nafjre_vf_$(rpub "$ZNTVP_AHZORE * 2" | op)

------
drusenko
In case anybody is confused: There is a puzzle embedded in our jobs page
(<http://www.weebly.com/jobs.html>).

It's not meant to be incredibly difficult, just fun and challenging enough to
take 30 minutes or so.

------
geuis
Dear Weebly, please come up with a new puzzle. This is now at least the 3rd
time I've seen your puzzle. Time for a new one.

------
A1kmm
Spoiler alert - don't read more of this comment if you want to solve it
yourself.

Almost all of the solution in Haskell (except for the bit about extracting the
actual answer from the Javascript); it's probably not what they intended,
since the job is for a web-dev, but most of us here are probably just doing it
for fun. I found the bit about guessing what string was hashed to make the MD5
the hardest, because it was basically just pure brute force (I didn't know
what timezone it was in or what date format was used - so the hint wasn't very
helpful).

    
    
        import Network.URI
        import Network.HTTP
        import Data.Maybe
        import Data.Time.Clock.POSIX
        import Data.Time.LocalTime.TimeZone.Olson
        import Data.Time.LocalTime.TimeZone.Series
        import Data.Time.Clock
        import Data.Time.LocalTime
        import Data.Time.Calendar
        import Text.Printf
        import Control.Monad
        import Codec.Binary.Base64.String
    
        main = do
          -- Is there a more portable way to do this?
          pdtTZS <- getTimeZoneSeriesFromOlsonFile "/usr/share/zoneinfo/America/Los_Angeles"
          pdtTime <- liftM (utcToLocalTime' pdtTZS) getCurrentTime
          let next = printf "w%02d%02d" ((\(_, _, d) -> d) . toGregorian . localDay $ pdtTime) (todHour $ localTimeOfDay pdtTime)
          ts <- getPOSIXTime
          let str = urlEncodeVars [("pos", "solvepuzzle"),
                                   ("auth", show ts),
                                   ("msg", "SYN/ACK"),
                                   ("next", next)]
          r <- simpleHTTP (Request (fromJust $ parseURI "http://www.weebly.com/weebly/publicBackend.php")
                                      POST
                                      [Header HdrContentLength  (show $ length str),
                                       Header (HdrCustom "X-Requested-With") "XMLHttpRequest",
                                       Header (HdrCustom "X-Prototype-Version") "1.7_rc1",
                                       Header HdrContentType "application/x-www-form-urlencoded"]
                                      str
                          )
          case r
            of
              Left err -> print err
              Right b -> do
                putStrLn (decode . rspBody $ b)

~~~
bluesmoon
you could just search Yahoo! for the md5 sum and it gives you the answer on
the search results page.

Also, it's easier to just do the whole thing in firebug by rewriting the
javascript on the page. The only thing I couldn't figure out was, what do you
do when you get to 42?

~~~
ithkuil
besides that 42 would be all you need to know about everything, searching
yahoo only works for well known hashes, it won't work for an arbitrary hash
like this.

------
michaelhart
I solved this a while back and posted my results on Twitter.

[SPOILER: DON'T FOLLOW IF YOU WANT TO TRY IT YOURSELF FIRST]

<http://yfrog.com/mto4sp>

I'm not sure if this was the expected output, as there was no exact
confirmation. But I assumed it was right.

~~~
drusenko
That's not the end of the puzzle... It's also changed a bit since the last
time you worked on it :)

------
mrpollo
SPOILER ALERT - Hey guys after a while of searching i couldn't find any site
that could crack the hash for me my result is 9e0a70f64a9b39a9f216417e70664529
here i could find a Result: <http://www.cmd5.org/> Result: w1113 but when i
submit that i get this message

ZXZhbHVhdGUgdGhlIGZvbGxvd2luZzogIGFsZXJ0KCdUaGUgc2VjcmV0IGNvZGUgaXM6ICcrYStkKyhjKyJfIikrKGIqMikpOwo==
(This isn't the solution...)

which obviously tells me i got it wrong, not trying to apply for the position,
just liked the puzzle, and i was curious about what other techniques are they,
that don't require the GPU attack, or JtR which is priced at $180

~~~
drusenko
You're actually on the right track!

You now need to decode the string that came back...

------
worksbe
So the md5, its based on a timestamp right? Cant figure that bit out.

~~~
greenlblue
I think it just depends on the hour.

------
sisk
God bless rainbow tables.

~~~
ergo98
A brute force GPU crack took about 1.5 seconds.

~~~
quadhome
A brute force CPU attack took even less. A stock version of john the ripper
will work just fine.

~~~
bluesmoon
a search on Yahoo! took even less.

------
bettse
I did the puzzle you guys had a couple years ago when I was a grad student,
and I just finished doing this one. I was sorta disappointed the secret hadn't
changed, so if I were to email you it now, you couldn't tell if I had solved
the current puzzle, or just archived the previous secret.

------
mx12
I always enjoy a puzzle. This reminds me of when I had free time and spent
days on notpron.

~~~
rick_2047
How far did you get? I personally never put in much effort, I remember getting
to level 10

------
Timothee
I end up with some reference to H2G2, but can't figure out if that's the end.
I can't find any next step from there, so I don't know if that's it.

(NB: not trying to spoil the puzzle, just confused by the next step)

------
ajaimk
Took me 10 minutes to solve the puzzle (i love puzzles) but I'm not too keen
on the job posting (still in college and want to finish it). Thanks for the
fun but sorry.

~~~
ajaimk
This was 2 points earlier tonight. Can who ever down-voted it please tell me
why?

------
greenlblue
It's a neat way to see if people have a modicum of javascript and Ajax
knowledge. Good on you Weebly.

------
julianz
That was fun. I live in the wrong country and don't need a new job though :)

------
praxxis
Is the accepted way to figure out the 'next=' step brute forcing the hash?

~~~
quadhome
It takes a few seconds, so I think it's alright.

------
Encosia
Sneaky of you to hide b and c there.

------
skant
cant get past the alert thing

