|
|
(9 intermediate revisions by 2 users not shown) |
Line 1: |
Line 1: |
− | {{argbox
| + | #REDIRECT [[Mr. Robot ARG]] |
− | | float = right
| |
− | | image = File:Mr-robot.png
| |
− | | name = Mr. Robot ARG
| |
− | | description= An ARG set in the universe of Mr. Robot.
| |
− | | creator = NBC Universal
| |
− | | type = [[List_of_Investigations#Official|Official]]
| |
− | | status = Active
| |
− | | discovered = 2017-09-28
| |
− | }}
| |
− | | |
− | <span id="BackToTop"></span>
| |
− | <div class="noprint" style="text-align:center; border-radius:10px; box-shadow: 5px 5px; background-color:#CFCFCF; position:fixed; bottom:2%; left:1.5%; width:100px; padding:0; margin:0;">
| |
− | [[#top|Return to Top]]
| |
− | </div>
| |
− | | |
− | [[Main Page]] > [[List of Investigations]] > '''Mr. Robot ARG'''
| |
− | | |
− | '''''SPOILER WARNING:''' This wiki page may contain spoilers for the show Mr. Robot. The ARG is best played after catching up on the show. '''You have been warned!'''''
| |
− | | |
− | The '''Mr. Robot ARG''' is an alternate reality game pertaining to the popular television show Mr. Robot. In the ARG players are required to solve many puzzles set in the world's universe. This wiki page is split into multiple pages. [[Mr._Robot_ARG/Events | Events]] shows the puzzles in the different events that have taken place during the ARG. [[Mr._Robot_ARG/Episodes| Episodes]] shows the puzzles in the easter eggs hidden within the episodes. This page showcases the main ARG for Season 3.
| |
− | | |
− | {| class="wikitable"
| |
− | !colspan="2"|Pages
| |
− | |-
| |
− | |[[Mr._Robot_ARG/Events | Events]]
| |
− | |The events that have taken place during the ARG.
| |
− | |-
| |
− | |[[Mr._Robot_ARG/Episodes| Episodes]]
| |
− | |The solves for the during the season ARG.
| |
− | |}
| |
− | | |
− | __TOC__
| |
− | | |
− | The following recaps the ARG events that took place after the season finale.
| |
− | | |
− | [[Image:MR_RWActivitySheetNew.png|thumb|right|Red Wheelbarrow Activity Sheet (Looking Glass Enabled)]]
| |
− | | |
− | =Red Wheelbarrow=
| |
− | | |
− | ==Red Wheelbarrow Activity Sheet==
| |
− | | |
− | [[Image:MR_RWActivitySheetOverlay.png|thumb|right|150px|Overlay of 3 Activity Sheets]]
| |
− | After the season finale aired the [https://www.red-wheelbarrow.com/ Red Wheelbarrow website] updated again, with a new [https://www.red-wheelbarrow.com/forkids/activitysheet/ file] in the Kid Wheelbarrow section. Previously, it had been noticed that on Firefox a new extension was automatically enabled named [https://support.mozilla.org/en-US/kb/lookingglass Looking Glass] ('''NOTE:''' This extension has been automatically disabled and the player has to manually install the plugin). After examining the source code of the extension, players noticed the extension changed the user-agent for the Red Wheelbarrow website. This extension specifically gave a different image if you were on Firefox Nightly with the Looking Glass extension, Firefox with the Looking Glass extension, or another browser without the Looking Glass extension. Players had noticed that certain colors in the shirts and the binary chart had changed between the three images. Players noticed that the binary chart was filled by combining the images, giving the following binary segments:
| |
− | | |
− | <pre>
| |
− | 0000.0001:1111
| |
− | 0000.0100:0100
| |
− | 0000.0101:0110.0001.0101
| |
− | 0000.0110:1000
| |
− | 0000.1001:1100.0010
| |
− | 0000.1100:1110.1101.1001
| |
− | 0000.1110:0011
| |
− | 0000.1111:1010
| |
− | 0001.0010:0000.0111
| |
− | 0001.0100:1011
| |
− | </pre>
| |
− | | |
− | Converting the left column, separating at the colon, returned numbers under 27 which led players to believe that you had to change the numbers to it's corresponding letter value (A=1, Z=26). Converting the right column, and separating the numbers at the periods, it returned numbers from 0-15.
| |
− | | |
− | {| class="wikitable" border="1"
| |
− | |-
| |
− | ! Left Decimal
| |
− | ! Left Decimal to Letter
| |
− | ! Right Decimal
| |
− | |-
| |
− | | 1
| |
− | | A
| |
− | | 15
| |
− | |-
| |
− | | 4
| |
− | | D
| |
− | | 4
| |
− | |-
| |
− | | 5
| |
− | | E
| |
− | | 6, 1, 5
| |
− | |-
| |
− | | 6
| |
− | | F
| |
− | | 8
| |
− | |-
| |
− | | 9
| |
− | | I
| |
− | | 12, 2
| |
− | |-
| |
− | | 12
| |
− | | L
| |
− | | 14, 13, 9
| |
− | |-
| |
− | | 14
| |
− | | N
| |
− | | 3
| |
− | |-
| |
− | | 15
| |
− | | O
| |
− | | 10
| |
− | |-
| |
− | | 18
| |
− | | R
| |
− | | 0, 7
| |
− | |-
| |
− | | 20
| |
− | | T
| |
− | | 11
| |
− | |}
| |
− | | |
− | Players discovered the solution was using the right column as the index for the letters in the left column. By using this method, players got the following message:
| |
− | | |
− | <pre>
| |
− | R E I N D E I R F L O T I L L A
| |
− | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| |
− | </pre>
| |
− | | |
− | The string '''REINDEER FLOTILLA''', is a reference to Tron. The rest of the image either has no meaning, or has yet to be solved.
| |
− | | |
− | ==Red Wheelbarrow Clock==
| |
− | | |
− | After the season finale aired, the DA_Remote node on [https://www.whoismrrobot.com/ WIMR] became live. This node was different from the rest, requiring a password. It was soon found that the password was from [https://wiki.gamedetectives.net/index.php?title=Mr._Robot_ARG/Episodes#192.251.68.236 192.251.68.236], a puzzle previously solved during Season 3. After investigating the new node, players discovered that none of the usual commands worked, and there was a file in the Documents folder titled, '''epilogue.docx'''.
| |
− | | |
− | [[Image:MR_RWClock.png|thumb|right|200px|Red Wheelbarrow clock]]
| |
− | | |
− | <pre>
| |
− | Jonathan consulting his trusty Semaphore manual (for doesn’t every sailor carry one?), realizing the whirling flags are spelling out a single word, over and over, like a drumbeat calling to him across the waves: “DESTINY”.
| |
− | </pre>
| |
− | | |
− | Soon after, players noticed that the previous line told them what to do. Running the command '''destiny''' into the terminal redirected to a website on Red Wheelbarrow showing a digital clock. By investigating the source code, players discovered that the website required seven inputted times. After seven times were inputted, players were able to notice that it would check to see if the times were correct. At this point, players had to refer back to the quote, which mentioned flag semaphore. Players found the solution by taking the word '''DESTINY''', which is seven letters, converting it to flag semaphore, then to an analog clock. [https://en.wikipedia.org/wiki/Flag_semaphore Flag semaphore] is a way of distance communication that uses flags in certain positions. Using the left hand as the hour, and the right hand as the minute, you can get the seven times. This process took players many guesses since the flags did not match exactly with the clocks:
| |
− | | |
− | <br>
| |
− | [[Image:MR_DestinyClocks.png|700px|center]]
| |
− | <br>
| |
− | | |
− | After inputting those times, the site changed, then gave the following message:
| |
− | | |
− | <pre>
| |
− | "And in another moment down went Alice after it, never once considering how in the world she was to get out again."
| |
− | -- Lewis Carroll
| |
− | | |
− | Congratulations, ally. Through your wits and bravery you have followed our call.
| |
− | | |
− | Now is the moment. You stand on the precipice of grand adventure.
| |
− | | |
− | This journey is fraught with danger. The enemy is cunning. Her forces will not be defeated lightly.
| |
− | | |
− | Only with all our strength and courage will we triumph over the dark destiny ahead.
| |
− | | |
− | Will you join the fight?
| |
− | </pre>
| |
− | | |
− | After the message finished playing, another message was shown to the player:
| |
− | | |
− | <pre>
| |
− | "Real knowledge is to know the extent of one's ignorance."
| |
− | -- Confucius
| |
− | | |
− | Here you are. The agent of our noble "adversary."
| |
− | | |
− | Did you believe we have been unaware of your activity?
| |
− | | |
− | Did you believe, in fact, we did not orchestrate it?
| |
− | | |
− | This has simply been another test. And now we know where your loyalties lie.
| |
− | | |
− | You may still prove to be of some use to us at some point. But rest assured it will be on our terms, and to serve our purpose.
| |
− | | |
− | For now, we suggest you pursue this matter no further.
| |
− | | |
− | We return you to where you started.
| |
− | </pre>
| |
− | | |
− | The site then redirected the player to the Red Wheelbarrow home page. The home page had changed to show that the player was now signed in as administrator on the Red Wheelbarrow website.
| |
− | | |
− | =Red Wheelbarrow Network=
| |
− | | |
− | ==Vincent==
| |
− | | |
− | [[Image:MR_RWNetworkMap.png|right|thumb|300px|Red Wheelbarrow Network Map]]
| |
− | | |
− | Players now being signed in as administrator on the Red Wheelbarrow website were given the option to open '''Network Map''' in the top left corner. The [https://www.red-wheelbarrow.com/admin/ network map] requested a password. Players found the password from the Red Wheelbarrow activity sheet puzzles. When players signed in using '''REINDEERFLOTILLA''', they were shown the Red Wheelbarrow network map. Using the map, players connected to the firewall by going to https://www.red-wheelbarrow.com/vincent/.
| |
− | | |
− | [[File:MR_Vincent.png|thumb|right|Firewall Access page]]
| |
− | <br>
| |
− | | |
− | At the firewall (Vincent) site, players noticed the [https://www.red-wheelbarrow.com/vincent/license.php license] had many references to the movie [https://en.wikipedia.org/wiki/The_Black_Hole The Black Hole]. Players found the important reference to a Cicero misquote that was referenced in The Black Hole. "V.I.N.CENT: To quote Cicero: rashness is the characteristic of youth, prudence that of mellowed age, and discretion the better part of valor." Players were able to determine that the password was the quote with no spaces or punctuation, <code>rashnessisthecharacteristicofyouthprudencethatofmellowedageanddiscretionthebetterpartofvalor</code>. Players using that as the password, and Cicero as the username gave them access to the four other sites referenced on the network map.
| |
− | | |
− | The firewall site updated on January 26th giving players an option to update the firewall version:
| |
− | | |
− | <br><pre>
| |
− | Current Base System 03673.12.18
| |
− | Latest Base System 03701.8.2
| |
− | | |
− | Warning: to maintain Dutchman system compatibility administrative level 33 rotational access is required and system time must sync.
| |
− | Proceed with update?
| |
− | </pre>
| |
− | | |
− | The first system version referenced The Black Hole, <code>03673</code> being 1979 in octal, and 12.18 being the date it was released. The same logic was used on the second version, being a reference to the movie Fright Night (Released on the date August 2nd, 1985).
| |
− | | |
− | ==ProboscisMonkey/theWolf==
| |
− | | |
− | [[File:MR_PMNetworkMap.png|thumb|right|The Proboscis Monkey Network Map]]
| |
− | | |
− | [https://www.red-wheelbarrow.com/vincent/theWolf/ Proboscis Monkey (theWolf)] is the IDS, Intrusion Detection System, for the Red Wheelbarrow network. The site unlocked on January 26th along with the Firewall update. The firewall message, <code>Warning: to maintain Dutchman system compatibility administrative level 33 rotational access is required and system time must sync.</code> told the player what to do. '''Dutchman system''' pointed at going to Proboscis Monkey, '''administrative''' pointed at using '''admin''' as the username, '''level 33''' pointed at using the Red Wheelbarrow commercial, and '''rotational access''' pointed at using the Caesar cipher.
| |
− | | |
− | | |
− | An additional hint was given by Crypt from Curious Codes, <code> "As the days go by, I leave this thing [bowl on a lathe] rotating over and over"</code>. This lead people to investigate using some sort of rotation cipher. Soon after, players found the answer being '''PLASTICFORKS''' (previously found from the Red Wheelbarrow commercial) rotated by the day of the month using a Caesar cipher. For example, if the day was June 15th, the player would use ROT15 on '''PLASTICFORKS''', resulting in '''EAPHIXRUDGZ'''.
| |
− | | |
− | '''NOTE:''' To find the current password, you can use [https://jsfiddle.net/cd2z2xwb/14/embedded/result/ this site].
| |
− | | |
− | ===Harvey===
| |
− | | |
− | [[File:MR_PMHarvey.jpg|thumb|right|Harvey resistor image.]]
| |
− | | |
− | Using the network map found inside of Proboscis monkey, [https://www.red-wheelbarrow.com/vincent/theWolf/harvey/ Harvey] was found with the message '''500 Internal Server Error''' <code>Harvey is CURRENTly down. Sorry for the trouble.</code> with a picture of resistors. The word '''CURRENT''' is a hint to get the current of the resistors. If you were to use this chart on all but the tolerance and multiplier bands (last 2 bands) you would get a message:
| |
− | | |
− | <pre>
| |
− | 0 - Black
| |
− | 1 - Brown
| |
− | 2 - Red
| |
− | 3 - Orange
| |
− | 4 - Yellow
| |
− | 5 - Green
| |
− | 6 - Blue
| |
− | 7 - Violet
| |
− | 8 - Gray
| |
− | 9 - White
| |
− | </pre>
| |
− | | |
− | <pre>
| |
− | BROWN BROWN VIOLET - 117
| |
− | BROWN BROWN BLACK - 110
| |
− | GRAY VIOLET - 87
| |
− | VIOLET GREEN - 75
| |
− | GRAY RED - 83
| |
− | GRAY BLACK - 80
| |
− | BROWN BROWN RED - 113
| |
− | BROWN BROWN WHITE - 119
| |
− | BROWN BROWN - 11
| |
− | BROWN GRAY - 18
| |
− | NONE - 0
| |
− | YELLOW - 4
| |
− | VIOLET - 7
| |
− | NONE - 0
| |
− | ORANGE - 3
| |
− | VIOLET - 7
| |
− | ORANGE - 3
| |
− | RED - 2
| |
− | </pre>
| |
− | | |
− | [[File:MR_PMCistern.jpg|100px|thumb|right|Cistern image]]
| |
− | | |
− | You get the string <code>117 110 87 75 83 80 113 119 11 18 0 4 7 0 3 7 3 2</code> Translated the first part using ASCII decimal codes you get '''unWKRPpw 11 18 0 4 7 0 3 7 3 2'''. The last number is a reference to [https://oeis.org/A181391 Van Eck's sequence], which occurred during Kor Adana's interview with the Hollywood Reporter. Using those numbers as a clue to find a password from those interviews, it was found that '''hackjamtor''' was the password for Octo Proxy.
| |
− | | |
− | ===Cistern===
| |
− | | |
− | [[File:MR_PMCistern2.png|thumb|right|Cistern message]]
| |
− | | |
− | Using the network map [https://www.red-wheelbarrow.com/vincent/theWolf/cistern/ Cistern] was found with the message '''Down for Maintenance for Approximately 24 Hours''' and an image. It was found that if you were to keep the site open for 24 hours (or manipulate the site cookie) the screen would become black and show the following message:
| |
− | | |
− | <pre>
| |
− | YOUR HIDE IS RAW FROM
| |
− | GRABBING AT DOLLARS
| |
− | | |
− | IT DOES NOT MAKE SENSE TO YOU,
| |
− | AS WE TWIST YOUR THOUGHTS AS SPAGHETTI
| |
− | | |
− | AROUND THE FORKED PATH YOU THOUGHT
| |
− | YOU UNDERSTOOD
| |
− | | |
− | UNFORGIVEN YOU WILL SEE
| |
− | THE RESULT OF ABSOLUTE POWER
| |
− | | |
− | AS WE REVEAL YOUR TRUE CRIME-
| |
− | THE DOXING YOU WILL NEVER SAY GOODBYE TO
| |
− | | |
− | CHANGE YOUR NAME THREE TIMES COMBINED,
| |
− | IT WILL NOT MATTER
| |
− | | |
− | YOU WILL HAVE NO NAME
| |
− | TO USE THAT WE WON'T ROUTE
| |
− | </pre>
| |
− | | |
− | The message is laden with references to Clint Eastwood movies. "Rawhide", "a Fistful of Dollars", "Spaghetti Western", "Unforgiven", "Absolute Power", "True Crime", "Never Say Goodbye", (The Good, The Bad, and The Ugly [changing names 3 times]), and "The Man With No Name."
| |
− | | |
− | ==Octo Proxy/theRunningMan==
| |
− | | |
− | [[File:MR_OPCP.png|thumb|right|Octo Proxy Control Panel]]
| |
− | | |
− | [https://www.red-wheelbarrow.com/vincent/theRunningMan/ Octo Proxy (theRunningMan)] is the proxy on the Red Wheelbarrow network. The username and password '''WKRP'''/'''hackjamtor''' was found in the Proboscis Monkey Harvey image. Inside of Octo Proxy is a control panel with the only options being available are '''status''' and '''Webfilter Databases'''. In the '''status''' tab of Octo Proxy it had the following statistics:
| |
− | | |
− | <pre>
| |
− | 20 Days of statistics
| |
− | 2 requests
| |
− | 4 Visited web sites
| |
− | 4 Categorized websites
| |
− | 10 Phishing URIs
| |
− | 36 Viruses URIs
| |
− | 46 Not categorized
| |
− | 30 categories
| |
− | 6 Websites to export
| |
− | 22 KB Downloaded flow
| |
− | 50% Cache performance
| |
− | </pre>
| |
− | | |
− | The solution to the puzzle was found by removing all the text, going from the top to the bottom, and using the 50% on all numbers. After doing that, translating using A1Z26 you got the following:
| |
− | | |
− | <pre>
| |
− | 10 - J
| |
− | 1 - A
| |
− | 2 - B
| |
− | 2 - B
| |
− | 5 - E
| |
− | 18 - R
| |
− | 23 - W
| |
− | 15 - O
| |
− | 3 - C
| |
− | 11 - K
| |
− | 25 - Y
| |
− | </pre>
| |
− | | |
− | On the '''Webfilter Databases''' tab, there is the login to DB1, and text at the bottom:
| |
− | | |
− | <pre>
| |
− | Brace yourselves-
| |
− | Let the idea sink in...it's on the
| |
− | tip of your tongue you know.
| |
− | Core truths, when heard will
| |
− | ring out, calling you out of ignorance.
| |
− | </pre>
| |
− | | |
− | The password for DB1 was found by finding the origin of Jabberwocky, which is Through the Looking-Glass, a source commonly referenced throughout the ARG. Using a synonym for looking glass, it was found that '''mirror''' was the password to access DB1.
| |
− | | |
− | ===DB1===
| |
− | | |
− | [[File:MR_OPDB1.png|thumb|right|DB1 console]]
| |
− | | |
− | Once signing into the DB1 console, you are given a terminal that is running MySQL, and has a limited amount of commands. It was then discovered that <code>cat mydb_tables.sql</code> was a working command that gave you the contents of the file shown to be generated above:
| |
− | | |
− | <pre>
| |
− | PRAGMA foreign_keys=OFF;
| |
− | BEGIN TRANSACTION;
| |
− | CREATE TABLE "DB1"
| |
− | | |
− | INSERT INTO "DB1" VALUES(1,JoeBSaltPassKeyEncDuplex,'LUNAR','CHAR');
| |
− | INSERT INTO "DB1" VALUES(2,JoeBPassKeySaltEncDuplex,'HERON','MESON');
| |
− | INSERT INTO "DB1" VALUES(3,JoeBPassKeySaltEncDuplex,'PANE','THERE');
| |
− | INSERT INTO "DB1" VALUES(4,JoeBPassKeySaltEncDuplex,'HERO','RINGO');
| |
− | INSERT INTO "DB1" VALUES(5,JoeBPassKeySaltEncDuplex,'RACING','PIERCING');
| |
− | INSERT INTO "DB1" VALUES(6,JoeBPassKeySaltEncDuplex,'TAKER','BOOKER');
| |
− | INSERT INTO "DB1" VALUES(7,JoeBPassKeySaltEncDuplex,'MINER','USER');
| |
− | INSERT INTO "DB1" VALUES(8,JoeBPassKeySaltEncDuplex,'ACTION','ORION');
| |
− | INSERT INTO "DB1" VALUES(9,JoeBPassKeySaltEncDuplex,'ANKLE','TICKLE');
| |
− | INSERT INTO "DB1" VALUES(10,JoeBPassKeySaltEncDuplex,'MERGER','MANAGER');
| |
− | </pre>
| |
− | | |
− | The output seems to be creating a database with a list of words. '''JoeB''' is a reference to Meet Joe Black, a movie that Brad Pitt is in, likely referring to the Honeypot. For each set of words, if you were to remove the common ending, then combined what is left, you would get another word.
| |
− | | |
− | <pre>
| |
− | LUNAR - CHAR | AR | LUNCH
| |
− | HERON - MESON | ON | HERMES
| |
− | PANE - THERE | E | PANTHER
| |
− | HERO - RINGO | O | HERRING
| |
− | RACING - PIERCING | CING | RAPIER
| |
− | TAKER - BOOKER | KER | TABOO
| |
− | MINER - USER | ER | MINUS
| |
− | ACTION - ORION | ION | ACTOR
| |
− | ANKLE - TICKLE | KLE | ANTIC
| |
− | MERGER - MANAGER | GER | MERMANA
| |
− | </pre>
| |
− | | |
− | ==Honeypot/bradPitt==
| |
− | | |
− | The login for the Honeypot was found by using the first of the list of ten words pairs found in Octo Proxy, excluding the last pair, as the username and then using the word found by removing the common ending as the password. The following is a list of the working usernames and passwords.
| |
− | | |
− | <pre>
| |
− | LUNAR/LUNCH
| |
− | HERON/HERMES
| |
− | PANE/PANTHER
| |
− | HERO/HERRING
| |
− | RACING/RAPIER
| |
− | TAKER/TABOO
| |
− | MINER/MINUS
| |
− | ACTION/ACTOR
| |
− | ANKLE/ANTIC
| |
− | </pre>
| |
− | | |
− | After logging in, a picture of glyphs appear:
| |
− | | |
− | [[File:MR_HPGlyphsSolve.png|thumb|right|Image of the glyphs solved.]]
| |
− | [[File:MR_HPGlyphs.png|250px]]
| |
− | | |
− | By using process of elimination, it was found that there were 10 different glyphs, representing 1-10. Then it was determined that the glyphs read, bottom right, top left, bottom left, top right. Using that method of reading the glyphs, the message '''PREACHER PASSWORD HELLFOLLOWEDWITHHIM''' a quote from Revelation 6:8.
| |
− | | |
− | ===DB1===
| |
− | | |
− | Inside of Honeypot there is a [https://www.red-wheelbarrow.com/vincent/bradPitt/343/ link] that leads to the database. Once you go to that site, it shows the following numbers:
| |
− | | |
− | <pre>
| |
− | 0152052216.9000302595
| |
− | 1599901684.0679734511
| |
− | </pre>
| |
− | | |
− | The numbers were the ISBN for 4 books:
| |
− | | |
− | <pre>
| |
− | East.Password
| |
− | Dangerous.Demons
| |
− | </pre>
| |
− | | |
− | ==DHCP/preacher==
| |
− | | |
− | The login for DHCP was found by using the solution from Honeypot, and the text from Cistern in Proboscis Monkey, hinting at [https://en.wikipedia.org/wiki/Man_with_No_Name Man with No Name]. Using the 3 nicknames and combining them, you get the username '''joemoncoblondie''' and the password '''hellfollowedwithhim'''.
| |
− | | |
− | =The Breakfast Club=
| |
− | | |
− | ==Email/Brian==
| |
− | | |
− | On March 27, DHCP had updated to have new sections available, '''Advanced Routing''' and '''Port Address Translation'''. Inside of Port Address Translation, there were multiple messages encoded within the IP Addresses, and the MAC Addresses.
| |
− | | |
− | On Advanced Routing, the first message was found when it was noticed that the last number was able to be translated into letters using a letter number cipher where A=1 and A=27.
| |
− | | |
− | {| class="wikitable" border="1"
| |
− | |-
| |
− | ! IP Adress
| |
− | ! Last Digit
| |
− | ! Letter Number
| |
− | |-
| |
− | | 10.10.10.14
| |
− | | 14
| |
− | | N
| |
− | |-
| |
− | | 10.10.10.15
| |
− | | 15
| |
− | | O
| |
− | |-
| |
− | | 10.10.10.20
| |
− | | 20
| |
− | | T
| |
− | |-
| |
− | | 10.10.10.27
| |
− | | 27
| |
− | | A
| |
− | |-
| |
− | | 10.10.10.38
| |
− | | 38
| |
− | | L
| |
− | |-
| |
− | | 10.10.10.64
| |
− | | 64
| |
− | | L
| |
− | |-
| |
− | | 10.10.10.75
| |
− | | 75
| |
− | | W
| |
− | |-
| |
− | | 10.10.10.96
| |
− | | 96
| |
− | | R
| |
− | |-
| |
− | | 10.10.10.119
| |
− | | 119
| |
− | | O
| |
− | |-
| |
− | | 10.10.10.127
| |
− | | 127
| |
− | | W
| |
− | |-
| |
− | | 10.10.10.131
| |
− | | 131
| |
− | | A
| |
− | |-
| |
− | | 10.10.10.144
| |
− | | 144
| |
− | | N
| |
− | |-
| |
− | | 10.10.10.160
| |
− | | 160
| |
− | | D
| |
− | |-
| |
− | | 10.10.10.161
| |
− | | 161
| |
− | | E
| |
− | |-
| |
− | | 10.10.10.174
| |
− | | 174
| |
− | | R
| |
− | |-
| |
− | | 10.10.10.175
| |
− | | 175
| |
− | | S
| |
− | |-
| |
− | | 10.10.10.187
| |
− | | 187
| |
− | | E
| |
− | |-
| |
− | | 10.10.10.213
| |
− | | 213
| |
− | | E
| |
− | |}
| |
− | | |
− | '''NOT ALL WHO WANDER SEE'''
| |
− | | |
− | The second message was found when it was noticed that the last 3 octets of the MAC Address were all under 27, leading to doing another letter number:
| |
− | | |
− | {| class="wikitable" border="1"
| |
− | |-
| |
− | ! MAC Adress
| |
− | ! MAC Address (Last 3 Octets)
| |
− | ! Letter Number
| |
− | |-
| |
− | | 00:23:A6:18:05:04
| |
− | | 18:05:04
| |
− | | RED
| |
− | |-
| |
− | | B8:D4:9D:08:05:18
| |
− | | 08:05:18
| |
− | | HER
| |
− | |-
| |
− | | 00:1A:9F:18:09:14
| |
− | | 18:09:14
| |
− | | RIN
| |
− | |-
| |
− | | 00:0B:1F:07:19:01
| |
− | | 07:19:01
| |
− | | GSA
| |
− | |-
| |
− | | 00:10:27:18:05:06
| |
− | | 18:05:06
| |
− | | REF
| |
− | |-
| |
− | | 00:02:2F:21:14:04
| |
− | | 21:14:04
| |
− | | UND
| |
− | |-
| |
− | | 00:06:AB:15:14:20
| |
− | | 15:14:20
| |
− | | ONT
| |
− | |-
| |
− | | 00:1A:9F:25:15:21
| |
− | | 25:15:21
| |
− | | YOU
| |
− | |-
| |
− | | B8:D4:9D:20:08:09
| |
− | | 20:08:09
| |
− | | THI
| |
− | |-
| |
− | | 00:02:2F:14:11:25
| |
− | | 14:11:25
| |
− | | NKY
| |
− | |-
| |
− | | E8:C2:29:15:21:19
| |
− | | 15:21:19
| |
− | | OUS
| |
− | |-
| |
− | | 00:0B:1F:08:15:21
| |
− | | 08:15:21
| |
− | | HOU
| |
− | |-
| |
− | | 30:F7:7F:12:04:14
| |
− | | 12:04:14
| |
− | | LDN
| |
− | |-
| |
− | | 48:02:2A:15:20:08
| |
− | | 15:20:08
| |
− | | OTH
| |
− | |-
| |
− | | 00:1A:9F:01:22:05
| |
− | | 01:22:05
| |
− | | AVE
| |
− | |-
| |
− | | 00:23:A6:03:15:13
| |
− | | 03:15:13
| |
− | | COM
| |
− | |-
| |
− | | FC:83:C6:05:08:05
| |
− | | 05:08:05
| |
− | | EHE
| |
− | |-
| |
− | | 00:15:66:18:05:24
| |
− | | 18:05:24
| |
− | | REX
| |
− | |}
| |
− | | |
− | '''RED HERRINGS ARE FUN DONT YOU THINK YOU SHOULD NOT HAVE COME HERE X'''
| |
− | | |
− | The last message was found by using the only information that was left, the first 3 octets of the MAC Address. The first 3 octets of a MAC Address are the [https://www.webopedia.com/TERM/O/OUI.html OUI], which is used to determine the manufacturer that created a device. By taking a list of the manufacturers, it was noticed that the first letter of each manufacturer spelled out a message:
| |
− | | |
− | {| class="wikitable" border="1"
| |
− | |-
| |
− | ! OUI
| |
− | ! Manufacturer
| |
− | ! Letter
| |
− | |-
| |
− | | 00:23:A6
| |
− | | E-Mon
| |
− | | E
| |
− | |-
| |
− | | B8:D4:9D
| |
− | | MSevenSy M Seven System Ltd.
| |
− | | M
| |
− | |-
| |
− | | 00:1A:9F
| |
− | | A-Link A-Link Ltd
| |
− | | A
| |
− | |-
| |
− | | 00:0B:1F
| |
− | | IConComp I CON Computer Co.
| |
− | | I
| |
− | |-
| |
− | | 00:10:27
| |
− | | L-3Commu L-3 COMMUNICATIONS EAST
| |
− | | L
| |
− | |-
| |
− | | 00:02:2F
| |
− | | P-Cube P-Cube, Ltd.
| |
− | | P
| |
− | |-
| |
− | | 00:06:AB
| |
− | | W-Link W-Link Systems, Inc.
| |
− | | W
| |
− | |-
| |
− | | 00:1A:9F
| |
− | | A-Link A-Link Ltd
| |
− | | A
| |
− | |-
| |
− | | B8:D4:9D
| |
− | | MSevenSy M Seven System Ltd.
| |
− | | M
| |
− | |-
| |
− | | 00:02:2F
| |
− | | P-Cube P-Cube, Ltd.
| |
− | | P
| |
− | |-
| |
− | | E8:C2:29
| |
− | | H-Displa H-Displays (MSC) Bhd
| |
− | | H
| |
− | |-
| |
− | | 00:0B:1F
| |
− | | IConComp I CON Computer Co.
| |
− | | I
| |
− | |-
| |
− | | 30:F7:7F
| |
− | | SMobileD S Mobile Devices Limited
| |
− | | S
| |
− | |-
| |
− | | 48:02:2A
| |
− | | B-LinkEl B-Link Electronic Limited
| |
− | | B
| |
− | |-
| |
− | | 00:1A:9F
| |
− | | A-Link A-Link Ltd
| |
− | | A
| |
− | |-
| |
− | | 00:23:A6
| |
− | | E-Mon
| |
− | | E
| |
− | |-
| |
− | | FC:83:C6
| |
− | | N-RadioT N-Radio Technologies Co., Ltd.
| |
− | | N
| |
− | |-
| |
− | | 00:15:66
| |
− | | A-FirstT A-First Technology Co., Ltd.
| |
− | | A
| |
− | |}
| |
− | | |
− | '''EMAIL PW AMPHISBAENA'''
| |
− | | |
− | Now that the password was found, a username had to be found. By inspecting the source code of the website, it was found that the login class was named <code>admin-login</code>, which pointed at '''admin''' being the username.
| |
− | | |
− | Once logging in with the credentials '''admin'''/'''amphisbaena''', the following message appeared:
| |
− | | |
− | <pre>
| |
− | WEST PASSWORD: DEADLY DISPUTE
| |
− | FTP richard
| |
− | </pre>
| |
− | | |
− | "FTP richard" is a pointer to go to the next site [https://www.red-wheelbarrow.com/vincent/preacher/richard/ /vincent/preacher/richard].
| |
− | | |
− | ==FTP/Richard==
| |
− | | |
− | Now that the FTP site on DHCP had been found, there is an input for a username and a password. A few things were noticed when trying to login, when you had the wrong login, it would give the error message, "421 Invalid username or password- the world is an imperfect place." "the world is an imperfect place," references a quote by John Bender in The Breakfast Club. Additionally, it was noticed that the password would show up in blue if the password was entered in the format of an email address. It was soon discovered that by using the default login for a guest FTP server, '''anonymous'''/'''anonymous''', was the correct logins for the FTP server.
| |
− | | |
− | | |
− | | |
− | Once logged in, the message given resembles the NASA Network Applications and Info Center Archive FTP login message, with the Local Web being different. The Local Web is a pointer to go to [https://www.red-wheelbarrow.com/vincent/preacher/andrew/ /vincent/preacher/andrew], the web login for DHCP. The website has a title of "ORWELL VERIFICATION ENGINE V CC0.2041" and has the word '''GET''' in Challenge 1. Since there is no other knowledge, something else needed to be discovered. It was soon discovered that the '''dir''' command worked in the FTP terminal, with only one result '''Chat.Log.txt'''. By running the command, '''get Chat.Log.txt''' the contents of the file were displayed:
| |
− | | |
− | <pre>
| |
− | ftp> get Chat.Log.txt
| |
− | remote: Chat.Log.txt
| |
− | 228 Extended Passive Mode Entered (|||36565|)
| |
− | 150 Opening ASCII mode data connection for ChatLog.txt (438 bytes)
| |
− | For Apache access:
| |
− | GET 62+18
| |
− | EACH 53-8
| |
− | PART 59+26
| |
− | AT 39+34
| |
− | CHAT 46+2
| |
− | AND 62+10
| |
− | MACE 41+20
| |
− | HUNT 59+26
| |
− | KURT 39+34
| |
− | 226 Transfer Complete
| |
− | 438 bytes received in 00:00 (110.57 KiB/s)
| |
− | </pre>
| |
− | | |
− | The file contents have multiple references to 1o57, one of the creators of the ARG. One of the first things that was noticed was that the first word, '''GET''', matched the word on the Andrew Challenge 1. At this point, it was obvious that this was required to solve Andrew. After many failed attempts, it had been noticed that the numbers were each the central coordinates for a country. Soon after, it had been realized that if you were to translate the word by the regional language of the country, it would translate to an animal. It is thought that this is another connection to Orwell, specifically his book named Animal House.
| |
− | | |
− | {| class="wikitable" border="1"
| |
− | |-
| |
− | ! Word
| |
− | ! Number 1
| |
− | ! Number 2
| |
− | ! Coordinates
| |
− | ! Location
| |
− | ! Region Translate
| |
− | |-
| |
− | | GET
| |
− | | 62
| |
− | | 18
| |
− | | 62.00000 18.00000
| |
− | | Sweden
| |
− | | Goat
| |
− | |-
| |
− | | EACH
| |
− | | 53
| |
− | | -8
| |
− | | 53.00000 -8.00000
| |
− | | Ireland
| |
− | | Horse
| |
− | |-
| |
− | | PART
| |
− | | 59
| |
− | | 26
| |
− | | 59.00000 26.00000
| |
− | | Estonia
| |
− | | Duck
| |
− | |-
| |
− | | AT
| |
− | | 39
| |
− | | 34
| |
− | | 39.00000 34.00000
| |
− | | Turkey
| |
− | | Horse
| |
− | |-
| |
− | | CHAT
| |
− | | 46
| |
− | | 2
| |
− | | 46.00000 2.00000
| |
− | | France
| |
− | | Cat
| |
− | |-
| |
− | | AND
| |
− | | 62
| |
− | | 10
| |
− | | 62.00000 10.00000
| |
− | | Norway
| |
− | | Duck
| |
− | |-
| |
− | | MACE
| |
− | | 41
| |
− | | 20
| |
− | | 41.00000 20.00000
| |
− | | Albania
| |
− | | Cat
| |
− | |-
| |
− | | HUNT
| |
− | | 59
| |
− | | 26
| |
− | | 59.00000 26.00000
| |
− | | Estonia
| |
− | | Wolf
| |
− | |-
| |
− | | KURT
| |
− | | 39
| |
− | | 34
| |
− | | 39.00000 34.00000
| |
− | | Turkey
| |
− | | Wolf
| |
− | |}
| |
− | | |
− | After each animal was found, each was the correct answer for the 9 challenges inside of Andrew.
| |
− | | |
− | [[Category: Mr. Robot ARG]] | |