A couple of days ago, we wrapped up one of the most emotionally charged events we've been lucky enough to host on a blog - an online hack game that destroys a server.
The results exceeded all our expectations: the participants not only took part, but quickly organized themselves into a well-coordinated community of 620 people on the discord, which literally took the quest by storm in two days without a break for sleep.
How did it all start and what is it all about?
The game started on August 12, when we posted on the blog
It was an online quest: we launched a YouTube broadcast from a room that was filled with iot devices, a bedside server (which had to be destroyed), and we fixed an aquarium above the server and hung a weight over it. To make the game more action-packed, we decided to make a prize pool of 200 rubles, which we loaded into the shredder and set it to turn on every 000 minutes. Every hour the shredder ate 60 rubles - the sooner the players stopped it, the more money they would win.
Building this quest was a quest in itself - we had to eat one delivery and sleep for several hours a day right in the same room. But the most amazing thing was to watch the flight of the players' thoughts and their emotional return in the process.
To be honest, the ingenuity of the players in solving the puzzles surpassed our modest idea many times over: every free minute we read the discord chat and in some cases literally sobbed with laughter, finding out what the players were doing and how they joked in the process.
7 people worked tirelessly on the project: a backender, a hardware specialist, a real film producer, a CG designer and two ideological co-producers.
In the following posts, we will tell you exactly how the quest was implemented from a technical point of view, but for now I will tell you its solution: how exactly it was necessary to hack this room on the broadcast. At the same time, let's recall the chronology of events, as well as all the crazy Illuminati theories from the discord chat and that's it.
What did the players have at the beginning of the game
All objects in the room were divided into three categories:
- Easy to manage, non-gaming iot devices
- Game devices for passing the quest
- Entourage
We placed 8 very easy-to-manage elements: two lamps, one garland, five letters FALCON, each of which could change color. All this could be turned on/off directly from the site and immediately see the result on the broadcast - we specifically made them available to all players, regardless of the level of technical savvy.
Everything that was just included from the site
Of the important game elements that were needed to complete the quest, and access to which was not so easy to get:
- Server with an open lid and an aquarium above it
- A weight suspended so as to break an aquarium
- Megatron 3000 - a powerful laser pointer aimed at the rope that holds the weight
- A powerful fan that started when the server was under load
- Flipchart on which the username and password for Megatron were written
- A phone that you could call and see your call live
- Schroeder who ate 1000 ruble bills an hour
How exactly was the quest solved?
I will say right away: the chest opened quite simply.
The object of the game was to stop the shredder by short circuiting the room. To do this, it was necessary to break the aquarium by launching a weight into it and fill the server with water. The weight was held on by a cord that Megatron was pointing at. By taking control of Megatron, the rope could be cut. This was done in 5 simple steps:
Step 1. Load the server in the room
For example, sending packets with a command.
ab -r -n 10000 -c 100 -s 280 -l https://ws.ooosokol.ru/captcha
The hint was very loaded
The same captcha that had to be attacked
When the server was loaded, its temperature increased and this could be tracked on the monitoring, open right in front of the camera. Then the fan turned on, which opened a light curtain on the flipchart. Then the login and password of access to Megatron's page written on the board were opened.
And the Megatron management page itself could be found by checking all the certificates issued for the ooosokol.ru domain.
On a subdomain
The players went through all these stages almost immediately in the comments of the broadcast on youtube. Further, the tasks were more difficult and the players created the RUVDS Hack Room discord server and continued the discussion there.
Step 2. Apply Primary Power to Megatron
All smart devices controlled from the site (the same lamps that the players turned on or off without stopping) had their own identifiers.
In order to supply primary power to Megatron and at the same time illuminate it, it was necessary to find and turn on a hidden device on the office management page.
To do this, it was necessary to look at the device identifiers and notice that there are 4 devices in total, and only 3 are available on the site.
When the 4th device was turned on, the Megatron page became available and the laser itself was highlighted. But at the same time, it was impossible to shoot a laser, and on it
Hint about the management company
3. Call the management company and ask to turn on the power of Megatron
Megatron couldn't shoot at LOR because the traffic jams were knocked out in the office. Only the management company could turn on the power back, which had to be phoned and identified as the owner of the LLC.
Finding the number of the management company was easy - we inserted it right into the footer.
But identification was much more difficult.
When calling the number +74991130688, the operator girl picked up the phone and asked in a bored voice to give the company's TIN and the full name of the owner. Without this, she refused to turn on the power and explained this by saying that she was an ordinary outsourced control room, they had 2000 clients and offices, and without this information it was simply impossible to find the right one.
For the players, this turned out to be the most difficult stage. They searched for the correct TIN and full name of the owner for almost two days, and during this time I (represented by the dispatcher operator) received more than 400 calls. The phone rang every 2-3 minutes.
The boys dug as hard as they could. Everything was used: they gutted the source code of the site, googled the owner of the site Sokolov, punched through social networks.
They were looking for the TIN of different companies
Almost complete search scheme
At some point, they even called with a substitution of the number - as if they were calling from the office of the Sokol company, indicated in the footer.
Then we learned what a huge number of companies are called Sokol. Almost every one of these companies was called by players, but it was nothing compared to what the site experienced.
Discord attacked Lasermasters support first.
Then they were able to find someone's account there! While Lasermasters support has already stopped skimping on expressions.
Be careful, keep the kids away from the screen
In the end, Lasermasters decided to just zaddosit and their site went down. As well as we managed to put the site of the Falcon, although we quickly raised it.
During the investigation, the guys from the discord even found an actor, whose photo we bought from stocks, so that he would play the role of the main antagonist, the owner of Andrey Sokolov LLC. It turned out that his name is Yuri and he is completely unaware of what mess he got into.
Andrey Sokolov, game character
Yuri, model
If he knew how he made 600 people not sleep for two days ...)
Then they started digging specifically for me, as the organizer of the quest (which could well have ended in success if the guys had guessed to hack into my working channels).
I was even a little worried when they called my middle name and even TIN. But it was relieved when, in the process of working with a damaged phone, I suddenly had an older brother, who suddenly turned out to be the technical director of Habr.
My dear brother, who also suffered
Meanwhile, the guesses became more and more incredible.
And it came to the Illuminati theories.
The juiciest conspiracy theories involved SpongeBob, Harry Potter, and the blinking Chinese diode garland that we put inside the system unit.
Where did SpongeBob and Harry Potter come from, you say? We stuffed their addresses into Sokol's contact page and it created a lot of speculation in the discord community. Although we just wanted to pay tribute to our favorite works of childhood.
The same link on the page "
And as a result
It turned out that there really are documents of Sponge Bob in the series. They were called as TIN
One of the most complex theories was that the blinking of the Chinese garland had a Morse code message sewn into it.
Flicker was recorded and tried to decipher
Of the theories, it is simpler - the guys tried to understand if the hint was not sewn up in the cards.
Along the way, we were compared to
Players tried social engineering with might and main. They called me under the guise of the FSB, firefighters, Sokolov himself, his ex-wife and a security guard who allegedly sits downstairs with us. It was said that a fire had started, someone was stuck in the elevator, and the most heartbreaking story was that the caller's dog was allegedly sitting in the office engulfed in fire.
There have also been bribery attempts.
Slowly, their own memes began to appear in the chat.
Here are a couple
And the factories were idle
Help
There was less and less money in the shredder. So that the winner gets at least something, we decided to make a hint. At the same time, following the rules of game design, right before the final, raise the tension.
Separate
We decided to apply the same mechanics and inserted a hint on the 25th frame, like
After that, the guys sorted it out very quickly.
Step 4. Shoot the laser in non-combat mode
When power was supplied by the management company and after the plugs were turned on, Megatron turned on and could shoot in test mode. The token for the test shot has already been substituted into the input form.
Every 25 seconds a new token was generated that could be used to turn on the laser for 10 seconds at 10/255 power
Then the laser cooled down for 1 minute and at that minute was unavailable, did not accept new requests for a shot.
This power was absolutely not enough to burn through the rope, but any player could shoot from Megatron and see the laser beam in action.
The community reaction was more than wild
But everyone quickly calmed down and realized that this was not the end of the game.
Then the community began to figure out how to start the battle mode
There are fakes on the discord
We didn't know that something was written on the table leg during the broadcast
The community has come to step 4. Understand how tokens are generated: find a gist and generate a token that turns on the laser in combat mode
Megatron's combat mode is 100% laser power of 3 watts. This is quite enough for 2 minutes to burn the rope that held the weight, break the aquarium and fill the server with water.
We've left some tips for
As everyone quickly guessed, it was 42
In the comments of the gist there was a correspondence between Andrey Sokolov and the developer (“wise developer”, as the guys from the discord called him).
In the correspondence, Andrey sent one of the combat tokens, and the developer replied that this token was initialized with a counter value of 42.
Knowing this data, it was possible to iterate over the last 2 characters of the salt and actually find out that the numbers from Lost converted to 16 were used for it.
Next, the players had to catch the value of the counter (by analyzing the test token) and generate a combat token using the next value of the counter and the salt selected in the last step.
The counter simply incremented with each test shot and every 25 seconds. We did not write about this anywhere, it should have been a small in-game surprise. The guys figured it out very quickly and launched the megatron in combat mode.
Step 5. Laser cut the rope
How it was
Everything is simple here. Sending a combat token would put the laser into combat mode, and the room would change and go into "disaster mode", as we called it in the general scenario:
- Turned off all the lights in the room
- Buttons for iot devices on the site became unavailable
- Flasher and siren sound
- The red weight was highlighted
- A countdown to the start of the laser in combat mode began on the TV screen
We gave the countdown an hour and a half so that everyone who played could turn on the broadcast and see the final. And not in vain: while I waited with bated breath for the sound of a blow and breaking glass from the next room, the entire team that built the quest, without saying a word, began to go to the base to see the finale with my own eyes. They just ran into the room and started hugging.
Meanwhile on Discord
After the end of the countdown, the laser turned on in combat and burned through the rope in two minutes - the weight flew straight into the aquarium. Before the impact, a mad capybara yelled on the screen, raising its little paws in panic.
Since the whole team gathered there, we filmed a short appeal to everyone who fought for the finals on the discord for two days and went to open the champagne:
How did we calculate the launch time for promotional videos and the flight of the kettlebell?
After a dozen tests of burning the rope with a laser, we realized that this is a very unreliable design - a half-burnt rope becomes thinner, under the weight of the weight it stretched, changed its location and the laser could no longer cut through it to the end.
Therefore, we went the other way: we duplicated the burnout by wrapping the rope with nichrome thread. A current was passed through the thread, it glowed red-hot and burned through the rope in about 2 seconds - this gave us precise understanding of when to turn on the screaming capybara, stop the start timer and start the commercial:
What didn't work for us?
In the final, thick smoke was supposed to come out of the system unit, like in a fire - we prepared smoke bombs, set them on fire in the same way, but for some reason they did not work (probably due to water).
Who is the winner?
The winner came out Arkady Alekseev from St. Petersburg - it was he who was the first to generate a test token and won the money remaining in the shredder in the amount of 134 rubles.
A short interview with Arkady.
Tell us about yourself, what do you do at work?
I am a security guard by education, I graduated from BIT at ITMO. I work as a full-stack outsourced web developer. At school he was an Olympiad, including in programming and mathematics.
How did you find out about the game?
I went to Habr just to read, I saw an article, I became interested.
How many hours did you play when you joined?
I joined in the evening of the day when the article was posted (i.e. a day before the end). Sat in the evening and a large part of the next day.
What did you like, what didn't you like?
In general, I liked everything (still, I won)), but I strained the moment with the calls a little. Well, like calling and checking each version was somehow not very, at least it was embarrassing - I understood that there were several dozen more of them calling, half of them were joking and trying to get into social engineering.
How did you figure out how to find the combat token for the megatron?
When I entered, they already spammed the server, poked light bulbs, found the password for the laser admin panel, all sorts of subdomains and pages.
It was also easy to find a profile on github and a gist with comments. From there, the process of generating a token and a secret for it is obvious. In such quests, you don’t need to invent very much IMHO, since you can drown in a bunch of options for the development of events; and accordingly, you need to follow where the creator of the quest pushes you.
Given the rest of the subdomains and the tilde test site, it was clear that after powering up the laser, it would be necessary to pick up a token. Accordingly, on the same evening, I sketched out an approximate request to turn on the laser (based on 4 available forms: 1 on the working site and 3 on the test/old one) and tried to spin with working tokens starting from 42 (well, for a fool - all of a sudden everything is already there enabled, and the page with sending the token will simply be opened after the TIN and full name).
I’m not sure that the request was correct, since there was no time to check (after all, it was only possible to check the laser on), but I prepared for the token enumeration in advance.
There was also obvious logic with websockets and device management in the app.js file. There was a bold hint at the a9 device, when sending power: true to which the socket crashed. I tried to send everything to him - you never know, there could be an additional device for solving the TIN, but without success.
Then I also tried the rest of the IDs next to those ten, but there was an unknown device everywhere. I also tried to google everything, climb on [email protected], sent stuff in the form on the price list page, poked around with lasermasters, but no luck. The next day I was chatting, googled stuff, then the stego topic popped up and I consulted the stegosolv person for pictures and gifs (but I understood in my mind that 99% there was nothing there, as it would be too much + contradiction with the main quest line) .
But in the end, I also sat for a couple of hours and delved into all the pictures and gifs. I called a couple of times with various TIN options, but by. Then I decided to forget it, but they posted a hint there - and it became clear that in the near future the TIN would be found, which happened. Then either I or someone else (it's not obvious there) sent power: true to the a9 device and the laser worked, although there may be no connection here and it just worked after the TIN. In general, I went into the admin panel of the laser and was quite surprised, since the server itself sent the token (and I was already preparing to brute). It became obvious that the token is a test one, since broadcast + common sense + I checked it.
The code had the logic of sending a working token somewhere by notification, but, apparently, either this was the wrong code, or it was necessary for other parts of the system. I drafted a script to get the current working token from the current test token and began to sit on f5, trying to send them - there were problems with this, since everyone constantly poked the send button, changing the token, if possible. Then another site went down, the counter reset, but it didn’t matter anymore - after a while I sent a working token. In theory, the counter was 58 and токен был 449a776938f7ce4cf19f8603045dca0f at the time of activation, if I'm not mistaken. Actually everything.
Then I got a little burned out from the comments a la "yes, it's all trivial, but lucky simple." Well, if you go to the page, think for a minute, write a script in a couple of minutes, check it, then yes, it’s trivial. But I did it in 10-20 seconds, and then I just could not send the token for several minutes.
Of course, you could try to write the logic for picking up and sending it automatically, but this is already longer and a big risk, plus the cloud would probably start cursing. That's what I was really lucky with, so this is with the very last stage - a few algorithms for speed + reaction speed, this is straight mine. If there was a task directly from the pentest, I would not be the first, most likely.
But this is not the end
I can't wait to tell you about all the amazing team that built this escape room and all the engineering solutions they found. But this post already turned out to be too huge - so there will be separate articles about this, so stay tuned and subscribe to our blog on Habré.
Source: habr.com