Return to Unfiction unforum
 a.r.g.b.b 
FAQ FAQ   Search Search 
 
Welcome!
New users, PLEASE read these forum guidelines. New posters, SEARCH before posting and read these rules before posting your killer new campaign. New players may also wish to peruse the ARG Player Tutorial.

All users must abide by the Terms of Service.
Website Restoration Project
This archiving project is a collaboration between Unfiction and Sean Stacey (SpaceBass), Brian Enigma (BrianEnigma), and Laura E. Hall (lehall) with
the Center for Immersive Arts.
Announcements
This is a static snapshot of the
Unfiction forums, as of
July 23, 2017.
This site is intended as an archive to chronicle the history of Alternate Reality Games.
  

The time now is Sat Nov 23, 2024 3:57 am
All times are UTC - 4 (DST in action)		 View posts in this forum since last visit
View unanswered posts in this forum
Calendar
 Forum index » Archive » Archive: Perplex City » PXC: General/Updates
[UPDATE] The Ooze Zone- 4th July 2006
View previous topicView next topic
Page 1 of 3 [38 Posts]   Goto page: 1, 2, 3 Next
Author Message
ryandrew
Unfettered


Joined: 21 Jan 2005
Posts: 575
Location: Manchester

 		[UPDATE] The Ooze Zone- 4th July 2006
Quote:
Rage Against The Machine
How are you getting on with jimmying that backdoor? I had a go at it myself, after my session at the Fox at the weekend, and didn't manage to get very far. It's a finicky old system all right.

Through a bit of trial and error, I started to spot a few patterns in how it all might work. Maybe you've figured it out already, but take a look at this box:

MOUNT - - - -
- SWITCH CACHE - -
- ROTATE ZONE - -
- - - - -
- - RUN - -

The order this runs in is MOUNT->SWITCH->ZONE->ROTATE->CACHE. Looks like each command moves in a certain direction to the next command and if you're lucky, you can get files out of it.

I'm pretty sure RUN can be placed anywhere. If you can't figure out where to place your next command, try putting RUN near your last command and see what kind of error message you get. It's a process of elimination.

With such a fragile looking system, I couldn't resist the urge to try and break it. I think my inner Luddite takes great pleasure in crashing software. So I tried setting a few challenges, like this:

MOUNT - - - -
- FLUSH PREAD - -
- ROTATE - - -
- - - - -
- - RUN - -

This runs as MOUNT->FLUSH->ROTATE->PREAD->FLUSH->ROTATE->PREAD->FLUSH... ad infinitum. The command interface flips out and spews bizarre, random files. There must be more stuff to be snagged by pushing the system till it snaps.

The other great thing about breaking the system is that the error messages can be very helpful. So far, I've seen:

Access Error: Unable to access file
Runtime Error: No area has been accessed
Access Error: Unable to get read handle
Runtime Error: Timeout in folder
Access Error: Unable to reset read permissions
Access Error: File handle not available
Error: All login sessions ended. File server inactive.

...and probably some others which I forgot to note down.

The weirdest file I've come across has been this. I can't remember the exact commands I used (yeah, I know) - I was just trying to break the system again and see if there were any holes. The file doesn't mean a lot, but here it is:

#echo stream nowait root internal
#echo dgram wait root internal

So you can add that to the pool of collected knowledge. Assuming you have any. Hardly anyone's sent me anything, but I'm guessing you guys have been making some progress. Make sure you send me any material you dig up, and keep at it.

_________________
Kurt: Don't call me sugar if you want to keep on talking in this room
Caine: I need very urgently to be far more drunk than this.
Anna: Noo! Violet, please don't hit me with that lead pipe! Arrghhhh.........

PostPosted: Tue Jul 04, 2006 8:44 pm
 View user's profile MSN Messenger
 Back to top 
e_nygma
Decorated

Joined: 17 May 2006
Posts: 247
Location: Maryland, US

 		Re: [UPDATE] The Ooze Zone- 4th July 2006
Quote:
MOUNT - - - -
- SWITCH CACHE - -
- ROTATE ZONE - -
- - - - -
- - RUN - -


Is the Cognivia file.

Quote:
MOUNT - - - -
- FLUSH PREAD - -
- ROTATE - - -
- - - - -
- - RUN - -


Using Firefox, this did nothing, but sit there and blink about how it was executing. Someone else mentioned that it did nothing for them either.

Quote:
The weirdest file I've come across has been this. I can't remember the exact commands I used (yeah, I know) - I was just trying to break the system again and see if there were any holes. The file doesn't mean a lot, but here it is:

#echo stream nowait root internal
#echo dgram wait root internal


Now, if Caine were using a Linux/Unix server, I would say this is from an inetd.conf file. For the non-admin types, inetd (Internet super server) is a daemon (resident) process that listens for network requests on certain ports and then does *something* in response to those requests. That *something* is defined by the inetd.conf file. Common inetd services include telnet, ftp, daytime and others, but inetd can be configured to run any service you want.

In this case, these two lines are commented out (you can tell by the leading octothorpe character (aka 'hash' sign or 'pound' sign)). These two lines would be for the "echo" service if they were active. As the name implies, the "echo" service takes whatever you send it and returns it back to you. In and of itself, not very useful, but keep reading.

Here's the full breakdown of the lines:

echo: name of service as listed in the /etc/services file; that file lists what port and what protocol to use ... unless they changed it from the default, the relevant entries in /etc/services would be:
Code:
echo   7/tcp
echo   7/udp

This means that any requests to port 7 would be handled by the echo service, if it were active in inetd.

stream/dgram: type of service (generally speaking, stream = TCP, dgram = UDP) ... the difference between these two is a long and lengthy discourse that I won't bore you with; let's just leave it to say that while both provide the same service, they differ in how they do it

nowait/wait: whether the inetd server should process any requests received concurrently (nowait) or sequentially (wait); TCP is generally nowait, and UDP is wait ... again, I won't bore with why

root: what account runs the process; in this case, "root" handles it (in terms of Linux/Unix, root is basically god)

internal: this service is part of the inetd daemon itself (i.e. it does not need to activate some other program to handle this request)

Okay, three questions pop up.

1. Why is the Perplex City Crypto Department using inetd? This is Earth technology. While I can buy they've gotten their hands on a lot of things, are you telling me they've gotten a Linux/Unix kernel??

2. Why is the Perplex City Crypto Department using inetd (not the same question as #1)? Ignoring how they got a hold of the system for a moment, why are they using something that is considered one of the most security-flawed daemons out there. Shouldn't the PXC Crypto types know about situations like this if they have managed to acquire inetd along with a kernel?

3. Can we find out where this file is and perhaps change its settings so we can further abuse their computer? Hey, if they're going to hand this to us, let's play with it.

Quote:
So you can add that to the pool of collected knowledge. Assuming you have any. Hardly anyone's sent me anything, but I'm guessing you guys have been making some progress. Make sure you send me any material you dig up, and keep at it.


Aww, isn't that cute? Caine feels out of the loop. I guess the question then becomes, do we want to tell him what we've found? If we do want to tell him, I would say that one of the people who deciphered how the system worked should do it. Of course, this is the point where we have to decide whether he's a "trusted" guy or if he's still on the outside looking in.

PostPosted: Tue Jul 04, 2006 10:05 pm
 View user's profile
 Back to top 
xnera
Veteran


Joined: 03 Jun 2006
Posts: 79

 		Re: [UPDATE] The Ooze Zone- 4th July 2006
e_nygma wrote:
Quote:
MOUNT - - - -
- SWITCH CACHE - -
- ROTATE ZONE - -
- - - - -
- - RUN - -


Is the Cognivia file.

Quote:
MOUNT - - - -
- FLUSH PREAD - -
- ROTATE - - -
- - - - -
- - RUN - -


Using Firefox, this did nothing, but sit there and blink about how it was executing. Someone else mentioned that it did nothing for them either.

[


Just tried this, and it ran for me. Got the funky screen, and then the "You really said that?" log.
_________________
Watching A World Without Oil and Perplex City
PXC Trades | You, too, can edit the PXC Wiki!

PostPosted: Tue Jul 04, 2006 10:14 pm
 View user's profile AIM Address
 Back to top 
Sh1ft
Veteran


Joined: 12 Nov 2003
Posts: 110
Location: Salt Lake City, Utah

 		Weird that he would post what appears to be a portion of a inetd.conf file, many commercial UNIX vendors still use inetd, maybe they downloaded a copy of Solaris. It's no good to us, unless we possibly teach caine the "finger" (hahahah, ah the good ol' days) command.

PostPosted: Tue Jul 04, 2006 10:30 pm
 View user's profile
 Back to top 
e_nygma
Decorated

Joined: 17 May 2006
Posts: 247
Location: Maryland, US
Sh1ft wrote:
Weird that he would post what appears to be a portion of a inetd.conf file, many commercial UNIX vendors still use inetd, maybe they downloaded a copy of Solaris. It's no good to us, unless we possibly teach caine the "finger" (hahahah, ah the good ol' days) command.


Or see if he can find "ed"?

[TIAG]Okay, Mind Candy, please please PLEASE do not make us solve a puzzle using ed. Please?! Thank you[TINAG]

PostPosted: Tue Jul 04, 2006 11:40 pm
 View user's profile
 Back to top 
mj
Boot


Joined: 17 Oct 2005
Posts: 54
Location: Southampton, UK

 		After seeing the inetd.conf portion and the mention of 'backdoor' - I decided to take a bit of a tangent. It seemed a little OOG, but then a segment of a UNIX config file on a PXC machine seemed weird enough Wink

Here's the nmap output for perplexcityacademy.com:

Quote:

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
412/tcp filtered synoptics-trap
445/tcp filtered microsoft-ds
674/tcp open acap
993/tcp filtered imaps
995/tcp filtered pop3s
1720/tcp open H.323/Q.931
4444/tcp filtered krb524
6699/tcp filtered napster
7597/tcp filtered qaz
12345/tcp filtered NetBus
31337/tcp filtered Elite


All fairly normal - until you get to those last 3. This machine appears to have 3 different trojans running on it - but on filtered ports. 'filtered' implies that a firewall, or some other network gadget, is blocking it - but I'm sure someone on PXC-side can fine a way through there Smile

Have emailed Curt with my findings - perhaps this is the back door we need?

Edit: Oops - looks like SteveC posted my findings in the other thread - will keep this here anyway, as that one is more about the file system cracking Smile

PostPosted: Wed Jul 05, 2006 4:26 am
 View user's profile Visit poster's website MSN Messenger
 ICQ Number 
 Back to top 
jonc
Veteran

Joined: 04 Jul 2006
Posts: 144

 		Maybe someone needs to get a program that can connect to infected machines and see if they can connect to the server and tell us what they can see if they can. I imagine that if it's part of the story, then you'll be able to see stuff. If you can see the whole computer/network, maybe the machine is actually infected Surprised

jonc

PostPosted: Thu Jul 06, 2006 6:29 am
 View user's profile
 Back to top 
mj
Boot


Joined: 17 Oct 2005
Posts: 54
Location: Southampton, UK

 		I very much doubt they'll be able to - the ports are filtered, which usually means that they've been firewalled (or something else is blocking access). It may be that it's an easter egg of sorts, or possibly that someone in PXC will be able to take advantage of the weak points, but we shouldn't be poking at machines unless explicitly told.

nmap is a relatively passive tool imo, which is good for informational purposes, but I think it's up to Caine and Kurt to decide whether they can make use of the information, not us.

PostPosted: Thu Jul 06, 2006 7:19 am
 View user's profile Visit poster's website MSN Messenger
 ICQ Number 
 Back to top 
oliverkeers13
Entrenched


Joined: 23 May 2005
Posts: 917
Location: London, UK

 		Don't even think of nmapping, it's a hacking tool. It's as bad as brute forcing.
DON'T DO IT!
_________________
"You're talking last ditch, I need top drawer" V
"To be in opposition is not to be a nihilist" CH
"im iver an idiot or a genus" Dekuprince
Perplex City Video

PostPosted: Thu Jul 06, 2006 8:03 am
 View user's profile Visit poster's website AIM Address MSN Messenger
 Back to top 
e_nygma
Decorated

Joined: 17 May 2006
Posts: 247
Location: Maryland, US
oliverkeers13 wrote:
Don't even think of nmapping, it's a hacking tool. It's as bad as brute forcing.
DON'T DO IT!


Mmmm, FUD.

No, nmap is *NOT* a hacking tool. It is a tool that is used by hackers, and designed by hackers, but in and of itself, it is not a hacking tool. All nmap does is allow the user to view what a system (or set of systems) is running, ports open, and how it responds to specially designed packets. That's it. Now, a hacker can use that information to the plot a further attack. However, an admin can use it to identify any rogue computers or pieces of software on their network to ENHANCE security.

To be fair, it does have some modes associated with it that a "white hat" would not need (stealth packets and the like). That being said, the only way nmap can be used aggressively BY ITSELF is to ping flood a system, and most competent sysadmins can handle that pretty easily.

How an analysis tool qualifies as a brute force tool, I do not know. I suppose if you consider a character frequency counter a brute force tool, then it nmap would be as well. Of course, the frequency counter tells you what characters are there not what the message says.

If nmap is a pure hacking tool, why does the Red Hat Enterprise Linux 3 and 4 come with it as a package that can be installed? Remember, RHEL is a *business* product, not a community development product (Fedora Core).

PostPosted: Thu Jul 06, 2006 7:59 pm
 View user's profile
 Back to top 
OK13NLI
Guest


 		It's the same as decompiling flash. it's unnecessary, intrusive analysis that isn't fun.

PostPosted: Fri Jul 07, 2006 4:20 am
 Back to top 
e_nygma
Decorated

Joined: 17 May 2006
Posts: 247
Location: Maryland, US
OK13NLI wrote:
It's the same as decompiling flash. it's unnecessary, intrusive analysis that isn't fun.


Was it unnecessary? Probably. Was it intrusive? Depends on what options were used (a simple port scan probably wouldn't qualify as intrusive unless you went for an aggressive timing setting). Fun? Depends on user ... after the first couple uses of nmap, it loses a bit of its wow factor, but still is useful.

But the same as decompiling a flash puzzle? Come on now. Tell me what secret of this puzzle did we learn by determing what ports responded to nmap? What images or passwords did we learn? How did we do an end-around this puzzle in front of us? The use of nmap told us nothing about the puzzle, but only get us potential SPEC of what we will do AFTER this puzzle. If you want to argue that it is pointless, by all means do so. However, to say it is ruining the game or hacking the website is ludicrous.

PostPosted: Fri Jul 07, 2006 4:59 am
 View user's profile
 Back to top 
SteveC
Unfettered


Joined: 05 May 2005
Posts: 381
OK13NLI wrote:
It's the same as decompiling flash. it's unnecessary, intrusive analysis that isn't fun.


Ollie,

come back to us when you know what you're talking about. As a network admin I've used nmap endlessly to ensure security of networks.

The publishing of the fact that we're dealing with a unix box that runs public services makes this a very grey area, I'm personally not interested in your wild spec that it's somehow against a rule to develop that idae.
_________________
...and no, I didn't reverse engineer or bruteforce anything to form this opinion.

PostPosted: Fri Jul 07, 2006 7:08 am
 View user's profile
 Back to top 
oliverkeers13
Entrenched


Joined: 23 May 2005
Posts: 917
Location: London, UK

 		It's not acceptable. Essentially, what you are doing is forcibly taking information that Mind Candy do not want to give you. In this ARG, we haven't had to do anything that hasn't CLEARLY been a puzzle. I fail to see what you hoped to gain from doing this.
Steve, it's perfectly OK to do it on your own network, but to do it on someone else's is shifty.
If you don't like the flash decompiling analogy, think of it as doing a WHOIS, then a reverse DNS, to find new sites. Sure, it's possible to do it, and you'll probably find something, but it's not fun. Where's the magic? It is possible for the PM to spend time and money securing against these, but why should they have to?
Essentially, what you are doing is taking the fun out of the game. This is happening more and more, the Crypto pages were run through auto-decoders almost instantly, people decompiled flash, you nmapped, back a few months, someone found the receda school of music site by using similar methods. Let's say you had found another port, and found a new site as a result. Would you feel clever? Would you feel as satisfied as if you'd discovered it through the file system? No, of course you wouldn't. There's no point to cheating, you're runining many people's enjoyment of it. It's like you buy a subscription to an MMO, and enter a cheat code that affects everyone. People will be pissed off.
Steve, you're taking quite a bit of the fun from this game at the moment, first, when you understood the file system, you wouldn't explain it clearly so everyone could understand, and then grumbled when Caine did; and now you break the curtain.
Play the game, don't just try and finish it.
_________________
"You're talking last ditch, I need top drawer" V
"To be in opposition is not to be a nihilist" CH
"im iver an idiot or a genus" Dekuprince
Perplex City Video

PostPosted: Fri Jul 07, 2006 7:33 am
 View user's profile Visit poster's website AIM Address MSN Messenger
 Back to top 
Mico
Boot

Joined: 09 Jun 2006
Posts: 66
Location: Leighton Buzzard, Beds

 		If there wasn't an element of investigation involved, why would Caine had given us
Caine wrote:
The weirdest file I've come across has been this. I can't remember the exact commands I used (yeah, I know) - I was just trying to break the system again and see if there were any holes. The file doesn't mean a lot, but here it is:

#echo stream nowait root internal
#echo dgram wait root internal

.... Keep digging


We are being specifically told to break into the Crypto system, so I don't see how doing a port scan is ruining anyone's enjoyment of this. If it can give us more information and push us forward, maybe we are expected to do this. I agree that intrusively hacking into the system without permission is illegal and morally wrong, but maybe part of the puzzle is that they have left a hole for us to find and exploit? Can you at least admit this is a possibility?

M

PostPosted: Fri Jul 07, 2006 7:34 am
 View user's profile
 Back to top 
Display posts from previous:   Sort by:   
Page 1 of 3 [38 Posts]   Goto page: 1, 2, 3 Next
View previous topicView next topic
 Forum index » Archive » Archive: Perplex City » PXC: General/Updates
Jump to:  


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
You cannot post calendar events in this forum



Powered by phpBB © 2001, 2005 phpBB Group