unforum

[apotheus]

USH login

[geno5554]

what about

u: islp4142

and

p: f9dds33

[Nyght_Shyft]

Brute forcing is a no-go.

And i'm sure they'll block you for trying.

Try legit means and leave brute-forcing behind. It's just not something you do in an ARG.. and i'm pretty sure it's not that legal anyhow.

[Chinghis]

Well, that's.... interesting, Geno554. When I tried that combination of UserID and Password, I get this response:

"User: islp4142


Your IP is not authenticated.

***Access denied***

Please contact customer service."

How/whered did you get password and ID?

[apotheus]

The programs ran faster than I expected. I woke up this morning to find them both completed. The only non-404 reply is the known f9dds33.htm. This is only using numbers and letters however.

I think I will skip traversing the entire address space with all alphanumeric characters.

Nyght-Shyft: Seeing as how this is related to the matrix, and the fundamentals behind the entire storyline is people hacking a system, I see this as perfectly legit especially since they put their verification algorithm in plain sight (html source). They have another client-side password check on metacortechs.com, but that is in a compiled flash movie and the algorithm is not immediately accessible. I won't go and attempt to decompile the movie and find the algorithm used there (even though I have seen no clauses regarding reverse engineering on any of the websites) because I highly doubt they expected anyone to reverse-engineer compiled psuedocode.

Anyways, nothing came of my attempt after all. I did, however, send an email faked from Beth to USH two days ago asking for login/password info for little-boxes.net hoping they might reply and it would show up in her metadex. It doesn't look like that panned out either. Any actual hosting company would've replied to the email with at least something requesting her to call or a standard tech support reply or something.

Here I was hoping people's actions might be able to drive the story a bit, but it looks like they have their own scripted story they're sticking to. Eh well.

[AnthraX101]

Brute forcing is a no-no because it sucks up server bandwith and uses server resources. In this respect, it would actualy be better to just decompile the movies. I seriusly doubt that they intended anyone to hack their servers. There has yet to be anything pointing to that possibility except for the USH login and them using a quite old version of sendmail (which could still be secure via patches). I doubt that they are welcoming any direct attacks.

Heck, banning people who portscan them for 72 hours is sending a pretty big message, IMHO.

AnthraX101

[apotheus]

Actually the "brute force" part where I checked URLs only took about 10 minutes, and i wrote the program single-threaded so it only did one request at a time. It caused no detrimental effects whatsoever.

[burnin]

Don't bother checking all the other combinations. The underscore is also a valid char but all the valid combinations with it also return 404.

I almost thought I had got it when I realized that the backslash ascii code was also a factor of the password number, but, for it to be in a directory, it was supposed to have a foward slash.

There are very few possible passwords (around 10k), but the only one active right now is the "brute force attempt detected" page. I'm sure that they were expecting brute force if they left the password algorithm inside the html source.

[gar]

read the news at metacortechs.com. it looks like they don't like brute forcing.

[BrianEnigma]

Maybe the point was to convey information rather than give access to a specific page. I wonder if that username/password becomes interesting later? We have tried a lot of password combinations (mine are here: http://netninja.com/files/underscorehack/results.txt) and have pretty much exhausted our options on the password hash and associated web pages. Has anyone thought to reverse-engineer the username hash? islp4142 has got to be only one of the possible reverses of 967612988160000. Maybe there is a more interesting one?

If anyone is interested: My research and C (gcc) program are available up one directory from the link above, at http://netninja.com/files/underscorehack/

[guest]

They appear to be closely sticking to a timed script with this game so doesn't it follow that if there _is_ to be an account on underscore that we're supposed to find, that it won't be active until it's supposed to be active?

[Guest]

http://www.accessdata.com/dictionaries.htm

[Guest]

password is most likely 7 letters long
if abcdefghjiklmnopqrstuvwxyz0123456789._ are the only characters used...
. has the lowest value ..of 48
z has the highest value of 122
17390546100000 is the password

20047612231936 is 48^8 (lowest code for 8 letter password..it is too large, so can't be 8 letters long)
3297303959104 is 122^6 (highest code for 6 letter password..it is too small, so can't be 6 letters long)

Now, if other characters are used, -'s, ...hrm, nope...45^7 * 46 (7's, and 1 .) doesnt match, and 45^7 * 48 is too large...

so password must be 7 letters

[AnthraX101]

/me trouts the guest.

Why can't people even read the page they are posting too?

AnthraX101

[bolek]

Let's analyze:

17390546100000 = 23 * 19 * 17^3 * 5^5 * 3^4 * 2^5

If we assume, that each symbol of the password is in the range 33--127, these are the possibilities (uppercase letters eliminated): ASCII = {36, 40, 45, 46 48, 50, 51, 54, 57, 60, 95, 100, 102, 108, 114, 115, 120, 125}, the characters are:
$ ( - . 0 2 3 6 9 & _ d f l r s x

We have one more limitation: the sequence must form valid filename part of the URL; this eliminates some characters. Moreover, the product of ASCII values is given, and from now on it's just an easy excercise for Logic programming class to make a list of all possible variations (not exactly combinations, the ordering matters too ).

There are some 10000 possible passwords, they consist only from letters, numbers and optional underscore.