The joys of knowing Software – Hacking the Boat License Course

Boat Licenses

NOTE: June 17th 2016 – I received a cease and desist letter from boat-ed.com and they have fixed the way in which the script in this post circumvents the wait. I am not aware of any other way to bypass it.

Summer is fast approaching and me and a group of friends decided to take the water on some ridiculously fun jet skis. In the state of Washington, a boat license is required to operate any PWC (personal watercraft) which thankfully can be done online. As a procrastinator I put aside 30 minutes of my time the night before the excursion to do the online exam on www.boat-ed.com. I was in for a large shock when I discovered that you had to sit through all the course material on the website prior to attempting the exam; average time for completion 6-8 hours.

Time is precious

Time is precious. It’s constantly fleeting and the last thing I wanted to do was sit through 6-8 hours of instructions that I knew and are largely common sense. The final exam should be indicative of whether you know the material or not, therefore it is not necessary to force people to sit through the course (all though you can Google the answers to the exam…). As my roomate decided to sit through the course material blindly hitting next when the button becomes available as he watched tv shows on Netflix, I decided to investigate if my knowledge of Computer Science can save me!

Chrome Extensions FTW

tl;dr; Install this Chrome Extension, which will enable you to skip any State Boat License course on www.boat-ed.com

Having some prior experience to writing Chrome Extensions and knowing more than my fair share of web services, I was able to dig into their JavaScript source files and find how they were forcing the users to sit through the course material. I will leave future blog posts perhaps detailing how one might go about “hacking” websites to reverse engineer their web services and fiddle around with it, briefly the steps were:

  1. Reverse obfuscate their JavaScript
  2. Find the offending timer code
  3. Figure out how to diable the timer (was a server call
  4. Fake the code in a Chrome Extension

37 Replies to “The joys of knowing Software – Hacking the Boat License Course”

          1. Sorry, I gave it a quick look earlier and don’t think there is anything I can do at the moment.
            I believe for now they’ve solved the exploit.

            If i have time again in the future i’ll give another crack at it 🙂

  1. Hello, my name is Darby. I’m a 7 year old weimaraner. I’m using this new cotupmer for the first time today as my mom, Monica got a virus on the old pc. There has been a lot of fussing going on as she usually uses a pc and this is a mac. I hope she figures it out soon or this could be a very long semester. This is Monica’s third semester. She took time off during the summer to go visit family in the lower 48 and enjoy the Alaska summer. We hiked almost every weekend. I got good at chasing foxes, but would turn around as soon as they barked at me. Due to government cut backs, Monica lost her job this week. She is now determined more than ever to finish the medical/dental receptionist program then continue to medical coding and billing. Her final goal is to become a geriatric nurse. Monica has an eight year old daughter that snuggles up to read to me every night. Dad is in the Air Force so we move a lot! Mom was so excited to find the online program at UAF so she can finish a degree no matter where we live. Well, it’s past my bed time and I’m sure someone’s feet needs me to lay on them. Good luck this semester and enjoy all the exciting stuff you get learn!!

  2. I started out to do this then saw that you had already done the work, so thanks 🙂

    I took your code and added one additional line which automatically clicks the “next” button, I just placed it in the success portion of the ajax call:

    document.getElementsByClassName(“timer”)[1].click();

      1. I’m trying to add in the auto next but I’m not exactly sure where to put it.

        I did it like this:

        $.ajax( { url:_url , data: _data, success: function() document.getElementsByClassName(timer)[1].click(); {
        console.log(“Successfully disabled wait.”);
        (document.body || document.head).appendChild(injectedScript);
        }, error: function(e, n) {
        console.log(“Error… Something is up…”);
        console.log(e);
        console.log(n);
        }
        });

        But it keeps returning this error:

        Uncaught SyntaxError: Unexpected identifier

        The script works without me adding that line.

      1. I second the hunter-ed.com timer skip. A 3 minute timer to stare at the parts for a lever action rifle I’ll never use is enough to drive one insane.

    1. You can probably leverage the code to work for it as well.
      I don’t have the bandwidth to investigate myself sorry;

      1. yea sorry about that – was fun while it lasted (and before i got a threat from the company to sue me).

        I think the statement of the post though was that it pays to always know a little programing so you can explore the javascript console of a web page. Who knows, what goodies you’ll find 🙂

  3. First time reader. Came across this as I was looking into ways of skipping the timer. Being in automation, I’ve been thinking how it’d be helpful to be able to automate the button clicking, but outright skipping is far better.

    I would love to see your future post on what your process was for “hacking” the site.

    Anyways great read!

    1. I believe they fixed the hack. I might write a short piece on how to reverse engineer such hacks to empower others in their use of the web.

      1. That’d be awesome if you did! I noticed they patched the issue.

        This is a GIANT pain in the ass to deal with(hence why i haven’t actually completed mine yet). Maybe tonight if i get some time i’ll start tryign to dig in and see if i can get around the timer BS crap

        1. I think they never use to track the time on the server side and now they do which makes trying to bypass it much harder (although possibly still possible if there’s other bugs)

Leave a Reply

Your email address will not be published. Required fields are marked *