In fact, it’s more correct to name the article “How to get yourself points in the competition to win a whole RedBull refrigerator”. By the way, we already have such a refrigerator with drinks in our office.
When once again juices, soda and other drinks were delivered to the office, I found a flyer advertising the competition, the essence of which was to complete the game and the winner would win a refrigerator for energy drinks.The second refrigerator would not hurt us - we just expanded, and we have new office rooms. So I followed the link and decided to try my luck, my attempt was a failure and I ended up somewhere at the end of the rating. The game was to go through several levels of the maze as quickly as possible.Now you need to put on sunglasses, turn on vpn, all kinds of proxies, etc.Let's get down to business
Knowing full well that any game on the web is a sequence of requests, and knowing the development market, where there are many amateurs, I decided to try my luck in the other direction and suddenly I stumble upon holes in the game. Not that I needed this refrigerator so much, it just got a sporting interest.http://redbull.ru/workWe will track requests in the browser, after that we will try to send the same requests, but with the changed values.
The first step is a request to start the game:https://rb-prjct-crtns-gamebackend-eu.herokuapp.com/api/high-scores/games/8970c40a-98f0-4395-85c8-66177fb38af0/runs
At the same time, we notice in the link id = 8970c40a-98f0-4395-85c8-66177fb38af0.A couple of times we refresh the page in the browser, it opens from a different ip and in another browser, this parameter does not change, we assume that this is a constant identifier for the game.We also notice that in the data type header parametersaccept:
application/vnd.api+json
In response to this request, we get the answer:
{
"data":{
"attributes":{
"finished_at":null,
"game_day":114,
"game_week":17,
"score":null
},
"id":"4f89d56d-884e-42e8-909d-d1e7547cc1d8",
"links":{
"self":"https://rb-prjct-crtns-gamebackend-eu.herokuapp.com/runs/4f89d56d-884e-42e8-909d-d1e7547cc1d8"
},
"relationships":{},
"type":"runs"
},
"included":[],
"links":{
"self":"https://rb-prjct-crtns-gamebackend-eu.herokuapp.com/runs/4f89d56d-884e-42e8-909d-d1e7547cc1d8"
}
}
In the answer you can notice different attributes and one more id = 4f89d56d-884e-42e8-909d-d1e7547cc1d8, which seems to be our personal identifier for the game.We start the game.
We observe over requests. We see that nothing new appears, that is, no stages of the passage of the game trigger. Just in case, I checked, maybe something goes on web sockets - it is also empty there.
At the end of the game, we are somewhere in the ranking, but we are not the first to be very sad. For now.We look at the console and see that 2 more requests were sent, but one of them was for receiving articles, the other for getting the players rating. There is little useful here, we remember the rating of the first place - 61454667.Click on the button to save the result.
Another url request was senthttps://rb-prjct-crtns-gamebackend-eu.herokuapp.com/api/high-scores/games/8970c40a-98f0-4395-85c8-66177fb38af0/runs/4f89d56d-884e-42e8-909d-d1e7547cc1d8/submit
with parameters{
"data":{
"id":"8970c40a-98f0-4395-85c8-66177fb38af0",
"type":"runs",
"attributes":{
"score":11041900
}
}
}
It becomes obvious that the link is formed from the static id of the game and the id of our session. In the parameters, the account is transferred, which will be saved by us and participate in the rating.
At the next stage, a page with a form opens, which is loaded in an iframe. We notice that our session id is involved in the link:https://redbull.jotform.com/93071907238864&runid=4f89d56d-884e-42e8-909d-d1e7547cc1d8&runscore=11041900&redirect=https://maze.redbull.com
After submitting the form, we receive a confirmation.
Now we repeat all the same requests, but not through the browser.I will use Postman.We send a request forhttps://rb-prjct-crtns-gamebackend-eu.herokuapp.com/api/high-scores/games/8970c40a-98f0-4395-85c8-66177fb38af0/runs
Received the answer:{
"data": {
"attributes": {
"finished_at": null,
"game_day": 114,
"game_week": 17,
"score": null
},
"id": "f95dad7c-eecf-4d3a-88e9-a32661a484e4",
"links": {
"self": "https://rb-prjct-crtns-gamebackend-eu.herokuapp.com/runs/f95dad7c-eecf-4d3a-88e9-a32661a484e4"
},
"relationships": {},
"type": "runs"
},
"included": [],
"links": {
"self": "https://rb-prjct-crtns-gamebackend-eu.herokuapp.com/runs/f95dad7c-eecf-4d3a-88e9-a32661a484e4"
}
}
Most important hereid = f95dad7c-eecf-4d3a-88e9-a32661a484e4
Now form a link to get the rating. We will need our session id and a result that will be more than the current record 61454667. For aesthetics, take the first digit of the number 2 * pi, just a little more than the record.Send a requesthttps://rb-prjct-crtns-gamebackend-eu.herokuapp.com/api/high-scores/games/8970c40a-98f0-4395-85c8-66177fb38af0/runs/f95dad7c-eecf-4d3a-88e9-a32661a484e4/leaderboard?score=62831853&filter[interval]=none
In the answer we see that we are already the first in the list, now we will save the result.We will send a request tohttps://rb-prjct-crtns-gamebackend-eu.herokuapp.com/api/high-scores/games/8970c40a-98f0-4395-85c8-66177fb38af0/runs/f95dad7c-eecf-4d3a-88e9-a32661a484e4/submit
In this request, it is important to specify the attributes of the headers.
Super! Everything went ok, received confirmation of the result. Now you need to send contact details so that RedBull contacted us.To do this, simply open a link in the browser with the form with our session id.https://redbull.jotform.com/93071907238864&runid=f95dad7c-eecf-4d3a-88e9-a32661a484e4&runscore=61454667&redirect=https://maze.redbull.com
Fill out the form.We send.
We get confirmation!The competition has already ended, it ran until January 31, 2020.PS At the time of publication, the drawing was completed, during the campaign we did not participate in it, we did not claim victory. All descriptions are for informational purposes only. No commercial or other values ​​were pursued by these actions.