dunkirk.sh / zera
the home site for me: also iteration 3 or 4 of my site
fork atom

chore: format hilton code blocks

Kieran Klukas e6e3410e 035bc3bd

options
unified split
Changed files
+26 -10
content
blog
2024-10-13_hilton_tomfoolery.md
+26 -10
content/blog/2024-10-13_hilton_tomfoolery.md 
···

       
23

       
23

       
 

       



     

       
24

       
24

       
 

       
First I had to download the app, which required disabling the proxy as iOS seems to ignore certificate trust settings for the app store. Enrollment happened via the `https://m.hilton.io/graphql/customer?operationName=createGuest&type=enroll` endpoint and was as follows:


     

       
25

       
25

       
 

       



     

       

       
26

       
+

       
> POST


     

       
26

       
27

       
 

       
```json


     

       
27

       
28

       
 

       
{


     

       
28

       
29

       
 

       
  "query": "...",


     
···

       
64

       
65

       
 

       
  },


     

       
65

       
66

       
 

       
  "operationName": "createGuest"


     

       
66

       
67

       
 

       
}


     

       

       
68

       
+

       
```


     

       

       
69

       
+

       
```bash


     

       
67

       
70

       
 

       
---


     

       
68

       
71

       
 

       
mutation createGuest($input: EnrollInput!, $language: String!) {


     

       
69

       
72

       
 

       
    createGuest(language: $language, input: $input) {


     
···

       
84

       
87

       
 

       
    }


     

       
85

       
88

       
 

       
}


     

       
86

       
89

       
 

       
```


     

       

       
90

       
+

       
<br/>


     

       
87

       
91

       
 

       



     

       
88

       

       
-

       
getting the response:


     

       

       
92

       
+

       
> response


     

       
89

       
93

       
 

       



     

       
90

       
94

       
 

       
```json


     

       
91

       
95

       
 

       
{


     

       
92

       
96

       
 

       
    "data": {


     

       
93

       
97

       
 

       
        "createGuest": {


     

       
94

       
98

       
 

       
            "data": {


     

       
95

       

       
-

       
                "guestId": 172624xxxx,


     

       

       
99

       
+

       
                "guestId": 1726240000,


     

       
96

       
100

       
 

       
                "hhonorsNumber": "225782xxxx"


     

       
97

       
101

       
 

       
            },


     

       
98

       
102

       
 

       
            "error": null


     
···

       
103

       
107

       
 

       
    }


     

       
104

       
108

       
 

       
}


     

       
105

       
109

       
 

       
```


     

       

       
110

       
+

       
<br/>


     

       
106

       
111

       
 

       



     

       
107

       

       
-

       
with the headers:


     

       

       
112

       
+

       
> headers


     

       
108

       
113

       
 

       



     

       
109

       
114

       
 

       
```json


     

       
110

       
115

       
 

       
{


     
···

       
123

       
128

       
 

       



     

       
124

       
129

       
 

       
I shared the key which asked for a name and then opened the iOS share sheet and I choose to send by text. I went back to my phone, clicked the link and low and behold we got a hit! `https://hms.hiltonapi.com/hms/v1/digitalkey/invitation/accept`:


     

       
125

       
130

       
 

       



     

       

       
131

       
+

       
> POST


     

       
126

       
132

       
 

       
```json


     

       
127

       
133

       
 

       
{


     

       
128

       
134

       
 

       
    "shareId": "b4d6140d311e4c4c935dd653ca00af65"


     

       
129

       
135

       
 

       
}


     

       
130

       
136

       
 

       
```


     

       
131

       
137

       
 

       



     

       
132

       

       
-

       
our response was as follows:


     

       

       
138

       
+

       
<br/>


     

       
133

       
139

       
 

       



     

       

       
140

       
+

       
> response


     

       
134

       
141

       
 

       
```json


     

       
135

       
142

       
 

       
{


     

       
136

       
143

       
 

       
    "arrivalDateTime": "2024-10-13T15:00-04:00",


     
···

       
144

       
151

       
 

       



     

       
145

       
152

       
 

       
Another interesting request was to `https://m.hilton.io/graphql/customer?operationName=hotel_brand&type=hotelDetails_GCYPAHX` 


     

       
146

       
153

       
 

       



     

       

       
154

       
+

       
> POST


     

       
147

       
155

       
 

       
```json


     

       
148

       
156

       
 

       
{


     

       
149

       
157

       
 

       
  "variables": {


     
···

       
153

       
161

       
 

       
  "operationName": "hotel_brand",


     

       
154

       
162

       
 

       
  "query": "..."


     

       
155

       
163

       
 

       
}


     

       

       
164

       
+

       
```


     

       

       
165

       
+

       
```bash


     

       
156

       
166

       
 

       
---


     

       
157

       
167

       
 

       
query hotel_brand($language: String!, $ctyhocn: String!) {


     

       
158

       
168

       
 

       
  hotel(language: $language, ctyhocn: $ctyhocn) {


     
···

       
260

       
270

       
 

       
}


     

       
261

       
271

       
 

       
```


     

       
262

       
272

       
 

       



     

       
263

       

       
-

       
with a response of:


     

       

       
273

       
+

       
<br/>


     

       
264

       
274

       
 

       



     

       

       
275

       
+

       
> response


     

       
265

       
276

       
 

       
```json


     

       
266

       
277

       
 

       
{


     

       
267

       
278

       
 

       
    "data": {


     
···

       
741

       
752

       
 

       



     

       
742

       
753

       
 

       
When using the unlock button, it made a request to this URL: `https://smetric.hilton.com/b/ss/hiltonglobalprod/10/IOSN030200030900/s65425920` with a payload of a URL encoded form.


     

       
743

       
754

       
 

       



     

       
744

       

       
-

       
```text


     

       

       
755

       
+

       
> POST


     

       

       
756

       
+

       
```yaml


     

       
745

       
757

       
 

       
ndh:              1


     

       
746

       
758

       
 

       
cid.:             


     

       
747

       
759

       
 

       
card_no.:         


     
···

       
844

       
856

       
 

       
ts:               1728899984


     

       
845

       
857

       
 

       
```


     

       
846

       
858

       
 

       



     

       

       
859

       
+

       
<br/>


     

       

       
860

       
+

       



     

       
847

       
861

       
 

       
> response 


     

       
848

       

       
-

       
```text 


     

       

       
862

       
+

       
```json 


     

       
849

       
863

       
 

       
 {


     

       
850

       
864

       
 

       
  "stuff":[ {


     

       
851

       
865

       
 

       
    "cn":"TMS","cv":"web=17836315,Web-app=15217574,Web-app=17952857,Web-app=17952894,web-app=19493122,web-app=19484989,web-app=21539153,web-app=21539313,web-app=21881915,web-app=22516131,web-app=22889861,web-app=23583601,web-app=15218869,web-app=26458327,web-app=26458383,web-app=21537957","ttl":30,"dmn":""


     
···

       
859

       
873

       
 

       



     

       
860

       
874

       
 

       
About a second afterward, I get a second request to `https://smetric.hilton.com/b/ss/hiltonglobalprod/10/IOSN030200030900/s88785229` with similar form data. Diff shown below.


     

       
861

       
875

       
 

       



     

       
862

       

       
-

       
```text


     

       

       
876

       
+

       
> POST.diff


     

       

       
877

       
+

       
```diff


     

       
863

       
878

       
 

       
23c23


     

       
864

       
879

       
 

       
< action:           digital key:key:unlock_btn


     

       
865

       
880

       
 

       
---


     
···

       
895

       
910

       
 

       
>


     

       
896

       
911

       
 

       
> *:8080mitmproxy 10.4.2 


     

       
897

       
912

       
 

       
```


     

       

       
913

       
+

       
<br/>


     

       
898

       
914

       
 

       



     

       
899

       

       
-

       
> response diff


     

       
900

       

       
-

       
```text 


     

       

       
915

       
+

       
> response.diff


     

       

       
916

       
+

       
```diff 


     

       
901

       
917

       
 

       
<   ],"uuid":"61645808922583835885560882535048239660","dcs_region":7,"tid":"RufgJCfxTjg="


     

       
902

       
918

       
 

       
---


     

       
903

       
919

       
 

       
>   ],"uuid":"61645808922583835885560882535048239660","dcs_region":7,"tid":"69dMPcWjQD4="