Grandiosa

1 minute read

During Grandiosa's "getyourfreepizza" event, participants had the chance to win free pizzas or a Nintendo Switch by locating randomly placed boxes. I focused on obtaining a Nintendo Switch without physically searching for the boxes.

Tools Used

• Python: Primary programming language.

Methods

Manual Method

The simplest way to open the boxes without physical movement was to spoof the device location locally. This could be accomplished using the "Fake GPS location" app for Android. By gradually adjusting the location closer to the box via trial and error, it was possible to open the box and claim the free pizza.

Automatic Method

A more advanced technique involved bypassing the GPS verification entirely, as the location verification was client-side only. This process was divided into two steps:

1. Send a request to the server to retrieve the IDs of the five closest boxes.
2. Send a request to the server with the chosen box ID and your phone number to receive the coupon code via SMS within 10 minutes.

Grandiosa's Anti-Cheat Measures

Prize Cap

Initially, the primary deterrent against cheating was a hidden cap on the number of boxes one could claim per day. I speculated this to be one box per phone number per day. Given that I only had one phone number, my chances of winning a Nintendo Switch were slim. My initial workaround involved sending pizza codes to all contacts in my phone, but after exhausting most of them without success, I sought another strategy.

I collected a number of free SIM cards from local shops and developed a Python script to iterate through them, sending pizza SMS codes at random intervals.

IP-Address Blacklisting

Grandiosa later implemented a security measure to blacklist IP addresses that issued suspicious requests, which temporarily halted my script. I overcame this by utilizing a list of free proxies found online, configuring my script to randomly select a proxy for each request.

IP-Geolocation

After amassing hundreds of pizza coupons without winning a Nintendo Switch, Grandiosa began filtering by IP geolocation. At this point, considering the effort and diminishing returns, I decided to end the project.

Result

I concluded the project with over 300 Grandiosa pizza coupons—far more than I could consume. This experience significantly enhanced my understanding of web-application security, paving the way for further security-related projects.