Mutt
Professional
- Messages
- 1,167
- Reaction score
- 835
- Points
- 113
Article from the paid subscription of the "hacker" magazine
Curiosity is the key to excellence. A passionate person is willing to make the effort to find answers over and over again and satisfy their craving for knowledge. One way to harness the power of curiosity is through hacking quests. They lie at the intersection of ARG games and CTF competitions and entice participants with an atmosphere of mystery, but not only entertain, but also give completely real skills.
What is ARG?
In case you have not heard about the fun called Alternate Reality Game, I will briefly tell you what it is. Imagine a game that uses the real world as a platform. More precisely, not even a game, but an interactive storytelling with game elements.
With a coordinated effort (usually over the Internet), ARG members seek clues and follow the trail of the story that the authors have invented. In this case, the keys can come across both on specially deployed sites for this, and in real life: for example, on posters, hidden flash drives, in notes on an answering machine, and so on.
It turns out a kind of giant multiplayer puzzle game that combines role-playing and computer games, investigative journalism, science fiction and mysticism.
The influence of the audience on the outcome of the ARG is so great that the plot can follow an unforeseen scenario, end ahead of time, or stop in the middle.
Today, entertainment commercial projects are played by several million people around the world. The main driving forces behind solving ARGs are curiosity, a love of puzzles, a desire to learn cryptography and test your level of erudition. After all, if you can reach the final, then you will be one of the lucky few.
Commercial ARGs are plentiful. Among the most notorious: I Love Bees, which was part of the viral marketing campaign of Halo 2, Lost Experience and Find 815, which advertised the series Lost, the well-known puzzle game in the Portal universe, and others.
Well, to our theme, of course, the closest of all are the Cicada 3301 and ARG based on the TV series Mr. Robot.
What's the difference between ARG, CTF and CTF style quests?
Entire online communities have formed around the ARG, and their numbers are constantly growing. This trend also affected the IB-party, and here there was mutual pollination with another popular genre - competitions like Capture The Flag. The result is sometimes called a deepweb puzzle, and at times they are in no way inferior in execution to a full-fledged ARG.
Such quests differ from ARG in the absence of a marketing component, and from CTF - in the absence of a clear organization. You can participate alone or as a team of any size, there are no prizes, no points, not even a completion date.
However, the absence of pre-assembled teams does not mean that there is no team problem solving. Most often, interested players unite in communities and help each other with difficult riddles. This happens on forums, wikis, subreddits, image boards and in group chats.
For example, the r / ARG subreddit is about online puzzles in general. There, everyone can share a link to a quest unknown to the community, contribute to the solution of active tasks, or gain experience from already solved ARGs.
In general, Reddit has recently become the default platform for fans of such activities. Its inhabitants are often the first to find inconspicuous pages on the darknet.
The Russian community of Internet researchers (netstalkers) has also repeatedly stumbled upon very original quests, which were not mentioned on Reddit. Often times, these things are discovered spontaneously - when someone scours the dark web in search of new interesting links.
Once that happens, the community comes together to solve the found piece of the big online game. By the way, I say "found piece" because you can't always be sure if a web page is the beginning, middle, or end of the game.
Sofia's quest
Now is the time to introduce you to some CTF style quests that have interested our community with their complexity, originality and beauty of execution. We will go through one of them from beginning to end, that is, until we receive the coveted flag. The quest is not long, but on the whole it is clear from it what one has to face when passing through. And along the way, we will collect a small selection of utilities that help you find a solution.
Part 1
Everything starts as usual - someone finds a web page. It belongs to Sophie, and you can hardly pass by this resource without becoming interested.
On the main one there is a hex-code, under it there is a picture with yin-yang, at the very bottom of the page there is a binary code, and a strange melody called whiterabbit is playing in the background.
The first thing that should come to mind for a researcher of this kind of resources is to immediately look at the HTML code of the page, not paying attention to what, it would seem, is obvious to the eye. Usually, it is in the code that either hints or meaningless comments from developers are hidden, and sometimes the links themselves to the next level.
In our case, the developer's console hides a link to the author's profile on the blackhatworld website.
You may also notice a little hint: Does only webpages have meta data? Obviously, attention will need to be directed to finding metadata in a picture.
Which is what we will do with the Exif Regex resource. Get EXIF (camera data) and metadata (XMP). You can also use Metadata2go to read the metadata.
Now we can learn a thing or two about the image. For example, as in the screenshot above. It becomes clear that the creator's name is Sophie, she lives in Irkutsk, but what is most surprising is the Source line from the metadata: "The State Security Committee (KGB)." This seems to be a hint of rumors that the secret services are using the ARG to recruit the brightest players.
We do not pay attention to this and proceed to decoding the hex-code. We are looking for any suitable hex to text decoder and decrypt. The output is fully readable text.
However, so far we have not been able to find any really useful information. Experienced players who have already participated in solving quests know that riddles sometimes have different solutions, some of them deliberately lead to dead ends. This is just such a case.
Let's use the DirBuster utility with a list of directories for the Apache server. It iterates over popular directory and file names for web applications, trying to find hidden directories and sites. After scanning, we find the hidden directory /server-status. We go into it and see the link.
Link to next part.
Part 2
On another resource, we see only a photo, without any explanation. In general, you should forget about the explanations in the quests: the organizers prefer to keep a veil of secrets and will not say an extra word - all in order to whet your interest. In fact, the atmosphere of mystery is the main reason why such quests are often located in .onion.
We open the console in a browser, we do not find anything interesting in the page code, so we will work with a photo. Download the picture with Napoleon and look at it in text representation (you can use a hex editor or a regular notepad). We immediately see several text lines at the very bottom of the document.
The key is recital. Having creaked our brains, we understand that this is a piece of a link. We try to substitute .html as the file name and get a working link to the next stage.
Part 3
The last page of the project contains a clock and an incomprehensible code.
What to do with him? Look closely at the code. We see that the clock is clickable, and we get another hint.
Immediately finding two pictures and get the final code number: LQCRJGLNPG.
To obtain the final result are driving the utility dCode cipher method and substituting obtain the final answer wonderland.
This quest has long been completed and completed, but the sites are still active. Rumor has it that the quest was created for the PR of the BlackHatWorld forum.
Suspicious FTP and steganography
One day, while exploring the nooks and crannies of Onion, I came across an FTP server that was hosting a .wav file. As a quest lover, this intrigued me, and I began to look for hidden information.
The screenshot above shows that in the file hidden strange characters: USI. To be honest, I still don't know what they mean, although I ran across them several more times.
For example, on December 1, another similar FTP server was found in Tor, which also contained three pictures.
The files themselves are outwardly something unusual: in all three pictures you can see numbers in the background 1999, in one of these pictures you can clearly see familiar symbols USI.
I was curious, since this was the first time I encountered such a thing. Therefore, I went through all possible approaches to the solution. But the more utilities were used, the clearer it became that it would lead nowhere. All the obvious and simple solutions did not help.
Here we smoothly move on to utilities for finding hidden data in images. For example, there is Stegsolve - it is simple and easy to use, so it is suitable for initial analysis. The same utility helps you find different pixels in two images. Alas, in our case it did not show anything clearly.
I also used Steghide. It helps both to encrypt any text inside the image, and to understand if there is anything interesting inside the graphic files. To decrypt, you need a passphrase, and there are not very many options. We have strings 1999and USIit remains to try different combinations of them.
Hooray! The option 1999USIcame up, we extract from each picture in a text file. Each is encrypted with a different algorithm.
I will not dwell on how I determined the ciphers, I will only say that the text on the left is encoded using AER-256. In the center, as it is easy to guess from the word Polybius, which is turned twice, is the cipher of Polybius (aka Polybius' square). And on the right is Base36.
Knowing the algorithms, it is not difficult to decipher the text. For AER-256 we use a resource with a huge selection of algorithms. Polybius Square is one of the most ancient coding systems. A simple replacement is used here, and there were no difficulties here - it is enough to specify Polybius-square decrypt. Base36 is decoded using the familiar dCode resource.
We can now piece together three scraps of the site address in .onion. We pass on it and find ourselves on a page with another picture and strange text.
Steganography seems to be powerless over the third image. On Reddit, by the way, there is a discussion where images with USI symbols were posted in a post with twenty others, which, in my opinion, are irrelevant. All of them were found by searching the list of hidden services on Daniel's Hosting free darknet hosting. Accordingly, we have no information about their connection, or even more so the order of their sequence.
I was forced to raise the archives on another hosting service so that they would have at least some access after the hosting was closed. Unfortunately, due to the instability of hosting services in Tor, resources are not always available.
It seems that this is where it all ends, without telling us about the sacred meaning 1999USI. But on the same day, I accidentally came across another FTP server with six audio recordings.
The spectrogram of all the WAV files shows some very interesting things.
I will not give all the images.
So the 1999 numbers have surfaced! But what happened on July 4, 1999? What does this mean anyway? Unfortunately, I have no opinion on this matter. For example, on the website of the Ministry of Foreign Affairs of India there is an entertaining text that mentions this date.
Unfortunately, the quest was not completed and most likely was lost along with Daniel's Hosting. Apart from the post on Reddit, he is not mentioned anywhere in the clearnet.
And this is also significant: not all the riddles that you find on the Internet can be solved.
Counterfeits for "Cicada"
You've probably heard about the Cicada 3301 - the famous and large-scale hacker quest, the organizers of which have remained unknown (if you haven't heard of it, see the sidebar below). The popularity and mysteriousness of Cicada made it an attractive target for imitation.
Cicada 3301
White letters on a black background read: “We are looking for very smart people. To find them, we developed a test. There is a message hidden in this picture. Find it and it will show you the way that leads to us. We will be happy to meet the few who make it to the end. Good luck!" At the end there is a signature: 3301.
The original of this post appeared in January 2012 on the anonymous forum 4chan and has managed to get a lot of attention. As the unknown authors conceived it, those very smart people immediately set off on the trail. Some of them reached their goal and, presumably, joined a group called Cicada 3301. But what kind of group it is and what it does is still a mystery. All we know is the stories of those who lost their way and did not complete the task to the end.
You can find the details of this story in the article "The Mystery of the Cicada" published in the 184th issue of "The Hacker" in May 2014. Since then, "Cicada" has not shown itself ... at least not so noticeably.
On March 21, an unknown user sent several messages written in Morse code and an image with QR codes to the secinfosec telegram chat.
Soon the messages were deleted, but this did not prevent them from studying (thanks to the habit of forwarding to favorites). At its core, the Morse code here is the decoded QR codes from the attached image, this can be understood by scanning them with any scanner. Let's decipher the Morse code with the help of a plain text translator and get a slurred line.
The colon and backslash characters make it clear that this is a link. Therefore, the string must be decrypted again, but using the Caesar cipher. At the output, we get another line.
Perhaps something can be done further, but why? Advertising hidden in two ciphers is of no interest to a researcher, and it is ugly to use someone else's curiosity for personal gain. Although it is possible that this is someone's joke, fabricated from a lot of idleness. This example shows how much the ARG theme has taken root in society. Do not get caught on the next "cicada"!
Conclusions
So we got acquainted with a couple of three puzzle quests and techniques that help to pass them. Cicada 3301 started this interesting fashion, and it is quite possible to meet unsolved problems now. By the way, creating your own quests is also no less exciting than completing them!
Both the creator and the player ultimately hone their skills in cryptography, steganography and other, sometimes the most unexpected, areas. And this is not to mention the fact that in terms of fascination with such games it is rare that anything can be compared. For me personally, it was absolutely invaluable to see the biological threat icon on the spectrogram of a random sound file.
As for useful utilities, possession of them undoubtedly helps with the solution, but sometimes they are completely useless. So, for some time I scanned almost every resource on the darknet into hidden directories. When solving ARG or quests in the ARG style, erudition and unconventional thinking are much more valuable.
Curiosity is the key to excellence. A passionate person is willing to make the effort to find answers over and over again and satisfy their craving for knowledge. One way to harness the power of curiosity is through hacking quests. They lie at the intersection of ARG games and CTF competitions and entice participants with an atmosphere of mystery, but not only entertain, but also give completely real skills.
What is ARG?
In case you have not heard about the fun called Alternate Reality Game, I will briefly tell you what it is. Imagine a game that uses the real world as a platform. More precisely, not even a game, but an interactive storytelling with game elements.
With a coordinated effort (usually over the Internet), ARG members seek clues and follow the trail of the story that the authors have invented. In this case, the keys can come across both on specially deployed sites for this, and in real life: for example, on posters, hidden flash drives, in notes on an answering machine, and so on.
It turns out a kind of giant multiplayer puzzle game that combines role-playing and computer games, investigative journalism, science fiction and mysticism.
The influence of the audience on the outcome of the ARG is so great that the plot can follow an unforeseen scenario, end ahead of time, or stop in the middle.
Today, entertainment commercial projects are played by several million people around the world. The main driving forces behind solving ARGs are curiosity, a love of puzzles, a desire to learn cryptography and test your level of erudition. After all, if you can reach the final, then you will be one of the lucky few.
Commercial ARGs are plentiful. Among the most notorious: I Love Bees, which was part of the viral marketing campaign of Halo 2, Lost Experience and Find 815, which advertised the series Lost, the well-known puzzle game in the Portal universe, and others.
Well, to our theme, of course, the closest of all are the Cicada 3301 and ARG based on the TV series Mr. Robot.
What's the difference between ARG, CTF and CTF style quests?
Entire online communities have formed around the ARG, and their numbers are constantly growing. This trend also affected the IB-party, and here there was mutual pollination with another popular genre - competitions like Capture The Flag. The result is sometimes called a deepweb puzzle, and at times they are in no way inferior in execution to a full-fledged ARG.
Such quests differ from ARG in the absence of a marketing component, and from CTF - in the absence of a clear organization. You can participate alone or as a team of any size, there are no prizes, no points, not even a completion date.
However, the absence of pre-assembled teams does not mean that there is no team problem solving. Most often, interested players unite in communities and help each other with difficult riddles. This happens on forums, wikis, subreddits, image boards and in group chats.
For example, the r / ARG subreddit is about online puzzles in general. There, everyone can share a link to a quest unknown to the community, contribute to the solution of active tasks, or gain experience from already solved ARGs.
In general, Reddit has recently become the default platform for fans of such activities. Its inhabitants are often the first to find inconspicuous pages on the darknet.
The Russian community of Internet researchers (netstalkers) has also repeatedly stumbled upon very original quests, which were not mentioned on Reddit. Often times, these things are discovered spontaneously - when someone scours the dark web in search of new interesting links.
Once that happens, the community comes together to solve the found piece of the big online game. By the way, I say "found piece" because you can't always be sure if a web page is the beginning, middle, or end of the game.
Sofia's quest
Now is the time to introduce you to some CTF style quests that have interested our community with their complexity, originality and beauty of execution. We will go through one of them from beginning to end, that is, until we receive the coveted flag. The quest is not long, but on the whole it is clear from it what one has to face when passing through. And along the way, we will collect a small selection of utilities that help you find a solution.
Part 1
Everything starts as usual - someone finds a web page. It belongs to Sophie, and you can hardly pass by this resource without becoming interested.
On the main one there is a hex-code, under it there is a picture with yin-yang, at the very bottom of the page there is a binary code, and a strange melody called whiterabbit is playing in the background.
The first thing that should come to mind for a researcher of this kind of resources is to immediately look at the HTML code of the page, not paying attention to what, it would seem, is obvious to the eye. Usually, it is in the code that either hints or meaningless comments from developers are hidden, and sometimes the links themselves to the next level.
In our case, the developer's console hides a link to the author's profile on the blackhatworld website.
You may also notice a little hint: Does only webpages have meta data? Obviously, attention will need to be directed to finding metadata in a picture.
Which is what we will do with the Exif Regex resource. Get EXIF (camera data) and metadata (XMP). You can also use Metadata2go to read the metadata.
Now we can learn a thing or two about the image. For example, as in the screenshot above. It becomes clear that the creator's name is Sophie, she lives in Irkutsk, but what is most surprising is the Source line from the metadata: "The State Security Committee (KGB)." This seems to be a hint of rumors that the secret services are using the ARG to recruit the brightest players.
We do not pay attention to this and proceed to decoding the hex-code. We are looking for any suitable hex to text decoder and decrypt. The output is fully readable text.
However, so far we have not been able to find any really useful information. Experienced players who have already participated in solving quests know that riddles sometimes have different solutions, some of them deliberately lead to dead ends. This is just such a case.
Let's use the DirBuster utility with a list of directories for the Apache server. It iterates over popular directory and file names for web applications, trying to find hidden directories and sites. After scanning, we find the hidden directory /server-status. We go into it and see the link.
Link to next part.
Part 2
On another resource, we see only a photo, without any explanation. In general, you should forget about the explanations in the quests: the organizers prefer to keep a veil of secrets and will not say an extra word - all in order to whet your interest. In fact, the atmosphere of mystery is the main reason why such quests are often located in .onion.
We open the console in a browser, we do not find anything interesting in the page code, so we will work with a photo. Download the picture with Napoleon and look at it in text representation (you can use a hex editor or a regular notepad). We immediately see several text lines at the very bottom of the document.
The key is recital. Having creaked our brains, we understand that this is a piece of a link. We try to substitute .html as the file name and get a working link to the next stage.
Part 3
The last page of the project contains a clock and an incomprehensible code.
What to do with him? Look closely at the code. We see that the clock is clickable, and we get another hint.
Immediately finding two pictures and get the final code number: LQCRJGLNPG.
To obtain the final result are driving the utility dCode cipher method and substituting obtain the final answer wonderland.
This quest has long been completed and completed, but the sites are still active. Rumor has it that the quest was created for the PR of the BlackHatWorld forum.
Suspicious FTP and steganography
One day, while exploring the nooks and crannies of Onion, I came across an FTP server that was hosting a .wav file. As a quest lover, this intrigued me, and I began to look for hidden information.
The screenshot above shows that in the file hidden strange characters: USI. To be honest, I still don't know what they mean, although I ran across them several more times.
For example, on December 1, another similar FTP server was found in Tor, which also contained three pictures.
The files themselves are outwardly something unusual: in all three pictures you can see numbers in the background 1999, in one of these pictures you can clearly see familiar symbols USI.
I was curious, since this was the first time I encountered such a thing. Therefore, I went through all possible approaches to the solution. But the more utilities were used, the clearer it became that it would lead nowhere. All the obvious and simple solutions did not help.
Here we smoothly move on to utilities for finding hidden data in images. For example, there is Stegsolve - it is simple and easy to use, so it is suitable for initial analysis. The same utility helps you find different pixels in two images. Alas, in our case it did not show anything clearly.
I also used Steghide. It helps both to encrypt any text inside the image, and to understand if there is anything interesting inside the graphic files. To decrypt, you need a passphrase, and there are not very many options. We have strings 1999and USIit remains to try different combinations of them.
Hooray! The option 1999USIcame up, we extract from each picture in a text file. Each is encrypted with a different algorithm.
I will not dwell on how I determined the ciphers, I will only say that the text on the left is encoded using AER-256. In the center, as it is easy to guess from the word Polybius, which is turned twice, is the cipher of Polybius (aka Polybius' square). And on the right is Base36.
Knowing the algorithms, it is not difficult to decipher the text. For AER-256 we use a resource with a huge selection of algorithms. Polybius Square is one of the most ancient coding systems. A simple replacement is used here, and there were no difficulties here - it is enough to specify Polybius-square decrypt. Base36 is decoded using the familiar dCode resource.
We can now piece together three scraps of the site address in .onion. We pass on it and find ourselves on a page with another picture and strange text.
Steganography seems to be powerless over the third image. On Reddit, by the way, there is a discussion where images with USI symbols were posted in a post with twenty others, which, in my opinion, are irrelevant. All of them were found by searching the list of hidden services on Daniel's Hosting free darknet hosting. Accordingly, we have no information about their connection, or even more so the order of their sequence.
I was forced to raise the archives on another hosting service so that they would have at least some access after the hosting was closed. Unfortunately, due to the instability of hosting services in Tor, resources are not always available.
It seems that this is where it all ends, without telling us about the sacred meaning 1999USI. But on the same day, I accidentally came across another FTP server with six audio recordings.
The spectrogram of all the WAV files shows some very interesting things.
I will not give all the images.
So the 1999 numbers have surfaced! But what happened on July 4, 1999? What does this mean anyway? Unfortunately, I have no opinion on this matter. For example, on the website of the Ministry of Foreign Affairs of India there is an entertaining text that mentions this date.
Unfortunately, the quest was not completed and most likely was lost along with Daniel's Hosting. Apart from the post on Reddit, he is not mentioned anywhere in the clearnet.
And this is also significant: not all the riddles that you find on the Internet can be solved.
Counterfeits for "Cicada"
You've probably heard about the Cicada 3301 - the famous and large-scale hacker quest, the organizers of which have remained unknown (if you haven't heard of it, see the sidebar below). The popularity and mysteriousness of Cicada made it an attractive target for imitation.
Cicada 3301
White letters on a black background read: “We are looking for very smart people. To find them, we developed a test. There is a message hidden in this picture. Find it and it will show you the way that leads to us. We will be happy to meet the few who make it to the end. Good luck!" At the end there is a signature: 3301.
The original of this post appeared in January 2012 on the anonymous forum 4chan and has managed to get a lot of attention. As the unknown authors conceived it, those very smart people immediately set off on the trail. Some of them reached their goal and, presumably, joined a group called Cicada 3301. But what kind of group it is and what it does is still a mystery. All we know is the stories of those who lost their way and did not complete the task to the end.
You can find the details of this story in the article "The Mystery of the Cicada" published in the 184th issue of "The Hacker" in May 2014. Since then, "Cicada" has not shown itself ... at least not so noticeably.
On March 21, an unknown user sent several messages written in Morse code and an image with QR codes to the secinfosec telegram chat.
Soon the messages were deleted, but this did not prevent them from studying (thanks to the habit of forwarding to favorites). At its core, the Morse code here is the decoded QR codes from the attached image, this can be understood by scanning them with any scanner. Let's decipher the Morse code with the help of a plain text translator and get a slurred line.
Code:
APKWJJWTZQJYJMYYUX: //AFUU.HTR.000BJGMTXYThe colon and backslash characters make it clear that this is a link. Therefore, the string must be decrypted again, but using the Caesar cipher. At the output, we get another line.
Code:
VKFREEROULETEHTTPS: //VAPP.COM.000WEBHOSTPerhaps something can be done further, but why? Advertising hidden in two ciphers is of no interest to a researcher, and it is ugly to use someone else's curiosity for personal gain. Although it is possible that this is someone's joke, fabricated from a lot of idleness. This example shows how much the ARG theme has taken root in society. Do not get caught on the next "cicada"!
Conclusions
So we got acquainted with a couple of three puzzle quests and techniques that help to pass them. Cicada 3301 started this interesting fashion, and it is quite possible to meet unsolved problems now. By the way, creating your own quests is also no less exciting than completing them!
Both the creator and the player ultimately hone their skills in cryptography, steganography and other, sometimes the most unexpected, areas. And this is not to mention the fact that in terms of fascination with such games it is rare that anything can be compared. For me personally, it was absolutely invaluable to see the biological threat icon on the spectrogram of a random sound file.
As for useful utilities, possession of them undoubtedly helps with the solution, but sometimes they are completely useless. So, for some time I scanned almost every resource on the darknet into hidden directories. When solving ARG or quests in the ARG style, erudition and unconventional thinking are much more valuable.
