Mr Robot ARG

From Game Detectives Wiki
Revision as of 20:24, 30 April 2018 by Silox (talk | contribs) (Red Wheelbarrow Clock)
Jump to: navigation, search
Mr. Robot ARG
Active since 2017-09-28
Mr-robot.png
An ARG set in the universe of Mr. Robot.
Type [[List_of_Investigations#Official|Official]]
Creator NBC Universal
Discovered 2017-09-28

Main Page > List of Investigations > Mr. Robot ARG

SPOILER WARNING: This wiki page may contain spoilers for the show Mr. Robot. The ARG is best played after catching up on the show. You have been warned!

The Mr. Robot ARG is an alternate reality game pertaining to the popular television show Mr. Robot. Throughout the course of the ARG, players interacted with characters and factions from the show, in order to solve puzzles. In particular, some players were recruited into fsociety, a fictional underground network of hackers. One of fsociety's main goals in the show is to disrupt a multinational corporation called E Corp.

Pages
Events The events that have taken place during the ARG.
Episodes The solves for the during the season ARG.

The following recaps the ARG events that took place after the season finale.

Red Wheelbarrow Activity Sheet (Looking Glass Enabled)

Red Wheelbarrow

Red Wheelbarrow Activity Sheet

Overlay of 3 Activity Sheets

After the season finale aired the Red Wheelbarrow website updated again, with a new file in the Kid Wheelbarrow section. Previously, it had been noticed that on Firefox a new extension was automatically enabled named Looking Glass. After examining the source code of the extension, it would change the user-agent for the site, giving a different image if you were on Firefox Nightly with Looking Glass, Firefox with Looking Glass, or another browser without Looking Glass. On the image it was noticed that the binary chart would change. It was noticed that certain spots would be filled by the other images, and by combining it all, you got the following binary segments:

0000.0001:1111
0000.0100:0100
0000.0101:0110.0001.0101
0000.0110:1000
0000.1001:1100.0010
0000.1100:1110.1101.1001
0000.1110:0011
0000.1111:1010
0001.0010:0000.0111
0001.0100:1011

Converting the left column, separating at the colon, returned numbers under 27 which led to discovering that you were to convert the number to its corresponding letter (A=1, Z=26). Converting the right column, and separating the numbers at the periods, it returned numbers from 0-15.

Left Decimal Left Decimal to Letter Right Decimal
1 A 15
4 D 4
5 E 6, 1, 5
6 F 8
9 I 12, 2
12 L 14, 13, 9
14 N 3
15 O 10
18 R 0, 7
20 T 11

It was discovered that the numbers in the right column were the position for the letter in the left column, using this, it spelled out a message:

R  E  I  N  D  E  I  R  F  L  O   T   I   L   L   A
0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15

The string REINDEER FLOTILLA, is a reference to Tron. The rest of the image either has no meaning, or has yet to be solved.

Red Wheelbarrow Clock

After the season finale aired, the DA_Remote node on WIMR became live. This node was different from the rest, requiring a password. It was soon found that the password was from 192.251.68.236, a puzzle previously solved during Season 3. After investigating the new node, it was noticed that none of the usual commands worked, and there was a file in the Documents folder titled, epilogue.docx.

Red Wheelbarrow clock
Jonathan consulting his trusty Semaphore manual (for doesn’t every sailor carry one?), realizing the whirling flags are spelling out a single word, over and over, like a drumbeat calling to him across the waves: “DESTINY”.

Soon after, it was noticed that the previous line was a hint at what to do. Typing destiny and running it in a command on the terminal redirected to a website on Red Wheelbarrow showing the clock. By investigating the source code, it was soon found that the after the player inputted 7 times, it would then submit to the website to see if that was correct. Later, it was noticed that if you were to refer back to the previous quote from DA_Remote, it mentioned semaphore. Taking the word DESTINY, which is seven letters, and converting it to semaphore. Flag semaphore is a way of distance communication that uses flags in certain positions. Using the left hand as the hour, and the right hand as the minute, you can get the seven times. This process took many guesses since the flags did not always match well with the clocks:


MR DestinyClocks.png


After inputting those times, the site will change and give you a message. After it is done, it will redirect you to the home page that now shows that you are signed in as admin of the Red Wheelbarrow site.

Red Wheelbarrow Network

Vincent

Red Wheelbarrow Network Map

After being signed in as admin on the Red Wheelbarrow website, you will be able to click on the Network Map in the top left corner, redirecting you to this page. Going to that page requests a password, and inputting REINDEERFLOTILLA, previously found from the Red Wheelbarrow activity sheet, it will show the Red Wheelbarrow network map. Using the map, you can connect to the firewall by going to https://www.red-wheelbarrow.com/vincent/.

Firewall Access page


At the firewall (Vincent) site, the license has many references to the movie The Black Hole. The main references are MarcusT, Marcus Tullius Cicero, and reference to a Cicero misquote being referenced in The Black Hole. "V.I.N.CENT: To quote Cicero: rashness is the characteristic of youth, prudence that of mellowed age, and discretion the better part of valor." Turning that quote into only lowercase letters, you get rashnessisthecharacteristicofyouthprudencethatofmellowedageanddiscretionthebetterpartofvalor. Using that as the password, and Cicero as the username you get access to the 4 other sites referenced on the Network Map.

The firewall site updated on January 26th to have an option to update, giving this message:


Current Base System 03673.12.18
Latest Base System 03701.8.2

Warning: to maintain Dutchman system compatibility administrative level 33 rotational access is required and system time must sync.
Proceed with update?

The first system version is a reference to The Black Hole, with 03673 being octal for 1979, and 12.18 being the date for it's release. The same logic was used on the second version, being a reference to the movie Fright Night (Releasing on the date August 2nd, 1985). There currently has been no use for the Fright Night reference.

ProboscisMonkey/theWolf

The Proboscis Monkey Network Map

Proboscis Monkey (theWolf) is the IDS, Intrusion Detection System, for the Red Wheelbarrow network. The site unlocked on January 26th along with the Firewall update. The firewall message, Warning: to maintain Dutchman system compatibility administrative level 33 rotational access is required and system time must sync. told the player what to do. Dutchman system pointed at going to Proboscis Monkey, administrative pointed at using admin as the username, level 33 pointed at using the Red Wheelbarrow commercial, and rotational access pointed at using the Caesar cipher.


An additional hint was given by Crypt from Curious Codes, "As the days go by, I leave this thing [bowl on a lathe] rotating over and over". This lead people to investigate and found out if you were to use PLASTICFORKS (previously found from the Red Wheelbarrow commercial) and rotate it by the day of the month, you would get the password. For example, if the day was June 15th, using ROT15 the password would be EAPHIXRUDGZ.

NOTE: To find the current password, you can use this site.

Harvey

Harvey resistor image.

Using the network map found inside of Proboscis monkey, Harvey was found with the message 500 Internal Server Error Harvey is CURRENTly down. Sorry for the trouble. with a picture of resistors. The word CURRENT is a hint to get the current of the resistors. If you were to use this chart on all but the tolerance and multiplier bands (last 2 bands) you would get a message:

0 - Black
1 - Brown
2 - Red
3 - Orange
4 - Yellow
5 - Green
6 - Blue
7 - Violet
8 - Gray
9 - White
BROWN BROWN VIOLET - 117
BROWN BROWN BLACK  - 110
GRAY VIOLET        - 87
VIOLET GREEN       - 75
GRAY RED           - 83
GRAY BLACK         - 80
BROWN BROWN RED    - 113
BROWN BROWN WHITE  - 119
BROWN BROWN        - 11
BROWN GRAY         - 18
NONE               - 0
YELLOW             - 4
VIOLET             - 7
NONE               - 0
ORANGE             - 3
VIOLET             - 7
ORANGE             - 3
RED                - 2
Cistern image

You get the string 117 110 87 75 83 80 113 119 11 18 0 4 7 0 3 7 3 2 Translated the first part using ASCII decimal codes you get unWKRPpw 11 18 0 4 7 0 3 7 3 2. The last number is a reference to Van Eck's sequence, which occurred during Kor Adana's interview with the Hollywood Reporter. Using those numbers as a clue to find a password from those interviews, it was found that hackjamtor was the password for Octo Proxy.

Cistern

Cistern message

Using the network map Cistern was found with the message Down for Maintenance for Approximately 24 Hours and an image. It was found that if you were to keep the site open for 24 hours (or manipulate the site cookie) the screen would become black and show the following message:

YOUR HIDE IS RAW FROM
GRABBING AT DOLLARS

IT DOES NOT MAKE SENSE TO YOU,
AS WE TWIST YOUR THOUGHTS AS SPAGHETTI

AROUND THE FORKED PATH YOU THOUGHT
YOU UNDERSTOOD

UNFORGIVEN YOU WILL SEE
THE RESULT OF ABSOLUTE POWER

AS WE REVEAL YOUR TRUE CRIME-
THE DOXING YOU WILL NEVER SAY GOODBYE TO

CHANGE YOUR NAME THREE TIMES COMBINED,
IT WILL NOT MATTER

YOU WILL HAVE NO NAME
TO USE THAT WE WON'T ROUTE

The message is laden with references to Clint Eastwood movies. "Rawhide", "a Fistful of Dollars", "Spaghetti Western", "Unforgiven", "Absolute Power", "True Crime", "Never Say Goodbye", (The Good, The Bad, and The Ugly [changing names 3 times]), and "The Man With No Name."

Octo Proxy/theRunningMan

Octo Proxy Control Panel

Octo Proxy (theRunningMan) is the proxy on the Red Wheelbarrow network. The username and password WKRP/hackjamtor was found in the Proboscis Monkey Harvey image. Inside of Octo Proxy is a control panel with the only options being available are status and Webfilter Databases. In the status tab of Octo Proxy it had the following statistics:

20 Days of statistics
2 requests
4 Visited web sites
4 Categorized websites
10 Phishing URIs
36 Viruses URIs
46 Not categorized
30 categories
6 Websites to export
22 KB Downloaded flow
50% Cache performance

The solution to the puzzle was found by removing all the text, going from the top to the bottom, and using the 50% on all numbers. After doing that, translating using A1Z26 you got the following:

10 - J
1  - A
2  - B
2  - B
5  - E
18 - R
23 - W
15 - O
3  - C
11 - K
25 - Y

On the Webfilter Databases tab, there is the login to DB1, and text at the bottom:

Brace yourselves-
Let the idea sink in...it's on the
tip of your tongue you know.
Core truths, when heard will
ring out, calling you out of ignorance.

The password for DB1 was found by finding the origin of Jabberwocky, which is Through the Looking-Glass, a source commonly referenced throughout the ARG. Using a synonym for looking glass, it was found that mirror was the password to access DB1.

DB1

DB1 console

Once signing into the DB1 console, you are given a terminal that is running MySQL, and has a limited amount of commands. It was then discovered that cat mydb_tables.sql was a working command that gave you the contents of the file shown to be generated above:

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE "DB1"

INSERT INTO "DB1" VALUES(1,JoeBSaltPassKeyEncDuplex,'LUNAR','CHAR');
INSERT INTO "DB1" VALUES(2,JoeBPassKeySaltEncDuplex,'HERON','MESON');
INSERT INTO "DB1" VALUES(3,JoeBPassKeySaltEncDuplex,'PANE','THERE');
INSERT INTO "DB1" VALUES(4,JoeBPassKeySaltEncDuplex,'HERO','RINGO');
INSERT INTO "DB1" VALUES(5,JoeBPassKeySaltEncDuplex,'RACING','PIERCING');
INSERT INTO "DB1" VALUES(6,JoeBPassKeySaltEncDuplex,'TAKER','BOOKER');
INSERT INTO "DB1" VALUES(7,JoeBPassKeySaltEncDuplex,'MINER','USER');
INSERT INTO "DB1" VALUES(8,JoeBPassKeySaltEncDuplex,'ACTION','ORION');
INSERT INTO "DB1" VALUES(9,JoeBPassKeySaltEncDuplex,'ANKLE','TICKLE');
INSERT INTO "DB1" VALUES(10,JoeBPassKeySaltEncDuplex,'MERGER','MANAGER');

The output seems to be creating a database with a list of words. JoeB is a reference to Meet Joe Black, a movie that Brad Pitt is in, likely referring to the Honeypot. For each set of words, if you were to remove the common ending, then combined what is left, you would get another word.

LUNAR  - CHAR     | AR   | LUNCH
HERON  - MESON    | ON   | HERMES
PANE   - THERE    | E    | PANTHER
HERO   - RINGO    | O    | HERRING
RACING - PIERCING | CING | RAPIER
TAKER  - BOOKER   | KER  | TABOO
MINER  - USER     | ER   | MINUS
ACTION - ORION    | ION  | ACTOR
ANKLE  - TICKLE   | KLE  | ANTIC
MERGER - MANAGER  | GER  | MERMANA

Honeypot/bradPitt

The login for the Honeypot was found by using the first of the list of ten words pairs found in Octo Proxy, excluding the last pair, as the username and then using the word found by removing the common ending as the password. The following is a list of the working usernames and passwords.

LUNAR/LUNCH
HERON/HERMES
PANE/PANTHER
HERO/HERRING
RACING/RAPIER
TAKER/TABOO
MINER/MINUS
ACTION/ACTOR
ANKLE/ANTIC

After logging in, a picture of glyphs appear:

Image of the glyphs solved.

MR HPGlyphs.png

By using process of elimination, it was found that there were 10 different glyphs, representing 1-10. Then it was determined that the glyphs read, bottom right, top left, bottom left, top right. Using that method of reading the glyphs, the message PREACHER PASSWORD HELLFOLLOWEDWITHHIM a quote from Revelation 6:8.

DB1

Inside of Honeypot there is a link that leads to the database. Once you go to that site, it shows the following numbers:

0152052216.9000302595
1599901684.0679734511

The numbers were the ISBN for 4 books:

East.Password
Dangerous.Demons

DHCP/preacher

The login for DHCP was found by using the solution from Honeypot, and the text from Cistern in Proboscis Monkey, hinting at Man with No Name. Using the 3 nicknames and combining them, you get the username joemoncoblondie and the password hellfollowedwithhim.

The Breakfast Club

Email/Brian

On March 27, DHCP had updated to have new sections available, Advanced Routing and Port Address Translation. Inside of Port Address Translation, there were multiple messages encoded within the IP Addresses, and the MAC Addresses.

On Advanced Routing, the first message was found when it was noticed that the last number was able to be translated into letters using a letter number cipher where A=1 and A=27.

IP Adress Last Digit Letter Number
10.10.10.14 14 N
10.10.10.15 15 O
10.10.10.20 20 T
10.10.10.27 27 A
10.10.10.38 38 L
10.10.10.64 64 L
10.10.10.75 75 W
10.10.10.96 96 R
10.10.10.119 119 O
10.10.10.127 127 W
10.10.10.131 131 A
10.10.10.144 144 N
10.10.10.160 160 D
10.10.10.161 161 E
10.10.10.174 174 R
10.10.10.175 175 S
10.10.10.187 187 E
10.10.10.213 213 E

NOT ALL WHO WANDER SEE

The second message was found when it was noticed that the last 3 octets of the MAC Address were all under 27, leading to doing another letter number:

MAC Adress MAC Address (Last 3 Octets) Letter Number
00:23:A6:18:05:04 18:05:04 RED
B8:D4:9D:08:05:18 08:05:18 HER
00:1A:9F:18:09:14 18:09:14 RIN
00:0B:1F:07:19:01 07:19:01 GSA
00:10:27:18:05:06 18:05:06 REF
00:02:2F:21:14:04 21:14:04 UND
00:06:AB:15:14:20 15:14:20 ONT
00:1A:9F:25:15:21 25:15:21 YOU
B8:D4:9D:20:08:09 20:08:09 THI
00:02:2F:14:11:25 14:11:25 NKY
E8:C2:29:15:21:19 15:21:19 OUS
00:0B:1F:08:15:21 08:15:21 HOU
30:F7:7F:12:04:14 12:04:14 LDN
48:02:2A:15:20:08 15:20:08 OTH
00:1A:9F:01:22:05 01:22:05 AVE
00:23:A6:03:15:13 03:15:13 COM
FC:83:C6:05:08:05 05:08:05 EHE
00:15:66:18:05:24 18:05:24 REX

RED HERRINGS ARE FUN DONT YOU THINK YOU SHOULD NOT HAVE COME HERE X

The last message was found by using the only information that was left, the first 3 octets of the MAC Address. The first 3 octets of a MAC Address are the OUI, which is used to determine the manufacturer that created a device. By taking a list of the manufacturers, it was noticed that the first letter of each manufacturer spelled out a message:

OUI Manufacturer Letter
00:23:A6 E-Mon E
B8:D4:9D MSevenSy M Seven System Ltd. M
00:1A:9F A-Link A-Link Ltd A
00:0B:1F IConComp I CON Computer Co. I
00:10:27 L-3Commu L-3 COMMUNICATIONS EAST L
00:02:2F P-Cube P-Cube, Ltd. P
00:06:AB W-Link W-Link Systems, Inc. W
00:1A:9F A-Link A-Link Ltd A
B8:D4:9D MSevenSy M Seven System Ltd. M
00:02:2F P-Cube P-Cube, Ltd. P
E8:C2:29 H-Displa H-Displays (MSC) Bhd H
00:0B:1F IConComp I CON Computer Co. I
30:F7:7F SMobileD S Mobile Devices Limited S
48:02:2A B-LinkEl B-Link Electronic Limited B
00:1A:9F A-Link A-Link Ltd A
00:23:A6 E-Mon E
FC:83:C6 N-RadioT N-Radio Technologies Co., Ltd. N
00:15:66 A-FirstT A-First Technology Co., Ltd. A

EMAIL PW AMPHISBAENA

Now that the password was found, a username had to be found. By inspecting the source code of the website, it was found that the login class was named admin-login, which pointed at admin being the username.

Once logging in with the credentials admin/amphisbaena, the following message appeared:

WEST PASSWORD: DEADLY DISPUTE
FTP richard

"FTP richard" is a pointer to go to the next site /vincent/preacher/richard.

FTP/Richard

Now that the FTP site on DHCP had been found, there is an input for a username and a password. A few things were noticed when trying to login, when you had the wrong login, it would give the error message, "421 Invalid username or password- the world is an imperfect place." "the world is an imperfect place," references a quote by John Bender in The Breakfast Club. Additionally, it was noticed that the password would show up in blue if the password was entered in the format of an email address. It was soon discovered that by using the default login for a guest FTP server, anonymous/anonymous, was the correct logins for the FTP server.


Once logged in, the message given resembles the NASA Network Applications and Info Center Archive FTP login message, with the Local Web being different. The Local Web is a pointer to go to /vincent/preacher/andrew, the web login for DHCP. The website has a title of "ORWELL VERIFICATION ENGINE V CC0.2041" and has the word GET in Challenge 1. Since there is no other knowledge, something else needed to be discovered. It was soon discovered that the dir command worked in the FTP terminal, with only one result Chat.Log.txt. By running the command, get Chat.Log.txt the contents of the file were displayed:

ftp> get Chat.Log.txt
remote: Chat.Log.txt
228 Extended Passive Mode Entered (|||36565|)
150 Opening ASCII mode data connection for ChatLog.txt (438 bytes)
For Apache access:
GET     62+18
EACH    53-8
PART    59+26
AT      39+34
CHAT    46+2
AND     62+10
MACE    41+20
HUNT    59+26
KURT    39+34 
226 Transfer Complete
438 bytes received in 00:00 (110.57 KiB/s)

The file contents have multiple references to 1o57, one of the creators of the ARG. One of the first things that was noticed was that the first word, GET, matched the word on the Andrew Challenge 1. At this point, it was obvious that this was required to solve Andrew. After many failed attempts, it had been noticed that the numbers were each the central coordinates for a country. Soon after, it had been realized that if you were to translate the word by the regional language of the country, it would translate to an animal. It is thought that this is another connection to Orwell, specifically his book named Animal House.

Word Number 1 Number 2 Coordinates Location Region Translate
GET 62 18 62.00000 18.00000 Sweden Goat
EACH 53 -8 53.00000 -8.00000 Ireland Horse
PART 59 26 59.00000 26.00000 Estonia Duck
AT 39 34 39.00000 34.00000 Turkey Horse
CHAT 46 2 46.00000 2.00000 France Cat
AND 62 10 62.00000 10.00000 Norway Duck
MACE 41 20 41.00000 20.00000 Albania Cat
HUNT 59 26 59.00000 26.00000 Estonia Wolf
KURT 39 34 39.00000 34.00000 Turkey Wolf

After each animal was found, each was the correct answer for the 9 challenges inside of Andrew.