Siteswapping is a puzzle created by Lucas Abduch that mixes cryptocurrencies and juggling. It starts with a video posted on his YouTube channel:
During almost 4 minutes, the video shows a sequence of clips where Lucas performs juggling using balls of different colors. It’s not a format you would find in any other crypto puzzle, but it’s clearly necessary to decipher this sequence in order to obtain the 100,000 LBC prize and a mystic Axie.
At this point, we can try to solve the video code directly, or seek more information about the context.
As explained in the video, the final solution consists of a private key and a default_wallet file, so the puzzle may contain more elements and steps in addition to what was presented.
Learning more about the project, it’s evident that we have a wide scope to explore on his social media, such as Facebook, Instagram, Twitter and YouTube, in addition to sponsors LBRY and Axie Infinity.
Starting with the video “surroundings”, we see that the description invites us to watch the same video on the LBRY platform. In addition to this version being in English, we can notice other subtle differences. Some characters quickly appear and disappear in the bottom left corner of the video:
By concatenating all the characters, the string p/Bwwr6OWgMh2 is formed. Searching for this term reveals that it’s an Instagram link to the following Malabarize-se post:
We can also see that the post is marked with some “strange” hashtags, such as #hint and #whitesplit. After verifying that the image is clean of basic steganography, we can see that it has 9 video thumbnails from the same channel as the main video, more specifically, in the video art playlist.
In the description of each of the 9 indicated videos, we can notice a curious text beginning with “~”:
Although it’s already possible to identify that they’re fragments of rotated text, let’s return to the main video in LBRY. In the video description, there’s a link that looks like the one present in most other videos to redirect to the channel’s newsletter, but with a small difference:
Despite being a relatively hidden URL, after found it was widely shared. It leads to an image published on spee.ch entitled @firstdoorhint:1/psyloASAP.jpeg:
This time, image inspection reveals a .ZIP file with two other images: redstroke.png and yellowstroke.png.
The identical logo in the upper right corner and the directions in a 3x3 matrix indicate that these images perfectly fit with the video grid:
Now we can concatenate the text fragments following the paths indicated in the red and yellow images. In addition, we will do this considering the left side of the “|” separator for the red path, and the right side for yellow in the 9 fragments, as instructed by the images:
TRDQ:khedhrzintqmdx (left side, red stroke)
SDVVZRUG:78fkdudfwhuv,Vwhidq’vidyrulwhsxccoh (right side, yellow stroke)It’s encrypted. We can start trying to convert it with a simple method, like Caesar’s cipher, using a tool like this one:
The red path text was deciphered by rotating 1 position to the right in the alphabet (+1), while in the yellow path the rotation is 23 positions to the right, or the equivalent of 3 positions to the left (-3), which relates to values 1 and 3 in the red and yellow images, respectively.
Result is credentials: a username (lifeisajourney) and a password hint (Stefan’s favorite puzzle) with the number of characters. We must pay attention to the fact that there are two plausible possibilities for the number of characters in the password: 78 if it’s the original number, or 45 if the number is also rotated.
Returning to the psyloASAP.jpeg image that hides the .ZIP file, we will try to find something relevant in relation to its name or content. Searching the image on Google, we found that it’s related to mushrooms, more specifically, psilocybin and its effect on the brain. In the first results we found a YouTube video along with articles and book containing the original image:
Although the video may not seem relevant at first, we notice that the channel name is AsapSCIENCE, which relates to “ASAP” in the image name. The only place that could have something hidden is the comment section. As the video has more than 6 thousand comments, we can use this tool to find something posted by Lucas:
Sections in upper case are looking inside and red plus. While the first may refer to “looking inside the image” to discover the .ZIP file, we still don’t know for sure what “red plus” could mean. With no other viable trails to follow, we will do our best to unravel the main part of the puzzle.
The first door
After splitting the main juggling video into a sequence of 49 clips, we need to understand how to convert them to something intelligible. At first, due to ignorance, we imagine that the variables are only the colors of the balls (white, purple, yellow, red, orange and transparent) and the number of balls that can vary between 1, 3, 4 and 5.
But it’s much more complex than that: as the puzzle’s name implies, to solve it we must learn siteswaps, also known as Cambridge notation, which describes the juggling patterns in relation to timing, height and the hand to which the throw is made.
This step consists of a laborious manual process of converting each clip to a numerical value associated with its possible juggling notation. After understanding the logic of siteswap, we can initially organize a set of possible notations according to our interpretation.
Then, we can refine the results by comparing the clips with tutorial videos or sitewap simulators for each specific notation.
To make it even better, when downloading the .MP4 file from LBRY and examining it as a text file, we can find a series of metadata about the published video, including the clip names:
Each clip appears to have been cut and used at different times in the video. Although the relatively obfuscated format makes it difficult to accurately recover the original times of the clips, the names exposure is already quite useful in determining which notations are valid in our conversion:
531 522 534 53
53 534
6451 7531
6x4
5b cascade rev casc
mills mess 441
4b peito e millsmess
423
3b impro roxas
3b impro vermelhas
3b impro brancas
3b impro amarelas
1b amarela matrix
1 acri
2 acriWe can confirm that only the orange balls have an “adequate” notation. As the clip names indicate, other colors are improvisations, and most use the same amount of 3 balls (except for “1b yellow matrix”), so the only relevant feature should be the color. This also matches the beginning of the video, which refers to the fact that orange has a different purpose from other colors:
It remains to be seen what the transparent balls would be, or as pointed out in the metadata, the acrylic balls. The individual acrylic ball appears 3 times, while a pair of acrylic balls appears at the end, before the last sequence of colored balls:
We can assume that this ball is some kind of marker and also has a distinct function from other balls.
Finally, let’s transcribe what we have:
Replacing oranges with their associated siteswap:
At this point, it’s necessary that you already had some “epiphanies” by observing the following details:
- The alternating pattern of orange with other colors;
- Orange always starts and ends all sequences;
- If the other colors cannot be converted to numbers, what could they represent?
- “white split” and “red plus”? Why “negative rotation” in yellow stroke path?
Crossing all data, we deduce that the other colors represent the basic mathematical operations (division, multiplication, subtraction and addition), where the orange siteswaps are the operands.
And the acrylic?
Here we need another “epiphany”:
- We have a username and a password hint. Where could this be inserted? Steganography only requires a password;
- In the image posted on spee.ch, the URI mentions a “first door”;
- This puzzle seems to be far from over… a private key and a wallet file are yet to “appear”. How could it be possible to obtain “more material” to proceed?
- Discord hint: Lucas is spending $5 for each month that we don’t solve the puzzle.
If you are familiar with IPv4 and VPS, you already understood that the first door is an IP. Acrylic is simply the dot divider for each of the 4 numerical IP values (octets), while the last separator with 2 acrylic balls represents the colon symbol “:”, which indicates the IP port to be used.
Even knowing the first door is an IP, it could still be difficult to find and access the correct address. We must first assume that the operators precedence is the order in which they appear. For example, for the sequence 441 – 4 + 3 / 4 the division must be performed last, therefore, to obtain the same expression result on the computer or calculator, it’s required to use parentheses.
In addition, we must replace the 6x4 notation by the product result (24).
There were 3 ways to determine which operator corresponds to each color.
The first one was right at the beginning of the video, but probably nobody could notice it, just as I didn’t realize it either:
The second way is through the hints scattered throughout the puzzle:
- White: #whitesplit;
- Red: RED PLUS and +1 in Caesar’s cipher;
- Yellow: -3 in Caesar’s cipher;
- Purple: “x” in the name itself, and Discord hint (pattern at 0:10 is an “X” drawn in the air).
The last method is by brute forcing. With 4 by 4 permutations of operators, we have 24 possibilities:
There’s only one combination that results in values that are integers, positive and less than 256.
Finally, the most powerful hint that was given on Discord at the beginning of 2020: that the IP port is 22. It not only pointed to the solution of an IP, but consolidated one of the equations with 2 operators (5 x 5 – 3 = 22), and also reinforced that the VPS should probably be accessed through SSH, and not through an HTTP page in the browser.
First door password
After finding the first door, we can start testing passwords based on the obtained hint: Stefan’s favorite puzzle, with 78 or 45 characters, depending on whether the cipher rotation is also applied to the number.
The metadata’s reference, the mention in the main video’s acknowledgments, or a quick search indicate that it’s about Stefan Sing:
From the number of references, we can also see that Tangram, one of Stefan’s main shows, is his “favorite puzzle”. We only need to find something related with a valid number of characters.
It’s worth noting that the main video contains exactly 45 clips with colored balls (not counting the acrylic ones), but it’s just an unfortunate coincidence.
On Stefan’s channel, we can find a video with his Tangram presentation. In this video, we see 2 comments from Lucas, where the most recent one seems to make more sense in relation to the puzzle creation period and may be related:
With some “mushrooms”, we find that by removing spaces and special symbols, the resulting text has exactly 45 characters:
PurepoetryReallynicetowatchitagainafter6yearsWith this password, we finally managed to enter lifeisajourney@95.179.186.110 via SSH!
Bem-vind@ à primeira porta.
Você não precisa de acesso root.
Tudo o que está aqui volta a ser como era antes de tempos em tempos.
Você não precisa se preocupar.
Tudo que você precisa está aqui e agora.Boa sorte.
Second door
Once inside the first door, we find a folder called seconddoor with some images and a hidden .RAR file (starting with “.”).
After transferring the files, we can verify that all images are clean of steganography. The .RAR file is password protected and its header is also encrypted, making it impossible to view its contents. We can deduce that the next step is to find the password, possibly using file names and images content as hint.
The filename #14mar2018 can involve 2 hints at once: the date and a hashtag. Searching about March 14, 2018, what stands out is the death of 2 famous people: Stephen Hawking and Marielle Franco. The meaning of the images seems to be ambiguous: on the one hand, they may refer to the people who died, as a gesture of homage and a request for remembrance; on the other hand, they seem to be connected to philosophy content.
Here we have several options: we can combine the information in the password, or try to work with each information in isolation. It seems reasonable to assume that the password is only related to Hawking, due to the space image with stars (remember.jpg). At the same time, Marielle is a very relevant character in the Brazilian political scene, and we can even find some mentions of her on Lucas’ social media, excluding the possibility of it being a coincidence.
Following the hint from the .RAR filename, we can try to find similar hashtags related to Stephen or Marielle using this site. While Hawking doesn’t return many results, Marielle has a number of hashtags:
The second hashtag #mariellepresente opens the .RAR file successfully.
Another way to find the password would be to visit the oldest posts on both profiles, after all, there is no more effective way to remember what happened that day than by “going back in time”.
Third door
Inside the .RAR file we find a text message:
It's been a long time you don't come for a tea!
email me at "theonlyshortcakethatcanhealyou""firstfireant#"@protonmail.com
and tell me your favorite tea flavour,
I'll make sure to have everything organize once you arrive!This part of the puzzle is clearly about Axie Infinity. Through the marketplace, we can find the answers to craft the ProtonMail address. There is only one type of shortcake:
There are only 27 Axies with the Fire Ant part. We can sort them according to their ID to find the first one that came into the game:
It’s Axie “Lucky Seven” with ID #7. So, initially, we assume that the email is strawberry7@protonmail.com, but there is no response. We can send an email using the ID of the other 26 Axies to confirm, and we will receive an automatic reply to each one warning that the email does not exist:
However, by testing the strawberry6 and strawberry8 emails we find that they also exist, so we may need to try some more specific variations of strawberry7. And indeed, we eventually receive a response from strawberryshortcake7@protonmail.com:
Last Moon
We receive the image lastmoon.JPG, another password protected .RAR file and a binary text.
01101000 01101001 00000000 00000000 00000000
00110101 00101110 01000110 01000100 00110010
00110110 01000011 01000101 00110000 00110001
00110010 01000001 00110100 00110010 01000110
01000011 01000101 00110011 00110001 01110111
01101001 01100110 01100101 00100000 01111010
01100101 01110010 01101111 00100000 01111010
01101111 01101111 00110110 00110100 00110101
00110001 00101110 01000110 01000010 01000010
00110001 00110010 00110100 01000100 01000010
01000010 00110100 01000010 00110001 00110101
00110010 00111000 01000010 00110110 01111000
00110100 01100001 01100011 01101001 01100100
00100000 01100011 01110101 01110010 01110110
01100101 00100000 01101010 01110101 01100111
01100111 01101100 01101001 01101110 01100111
00110101 00110010 00110010 00101110 00110100
00110001 00111000 00110111 00111000 00110111
00110100 00110010 00110011 00110110 00110100
01000100 00110100 00110000 01000010 00110001
00110100 01100100 01100001 01101101 01110000
00100000 01101111 01100010 01100101 01111001
00100000 01100100 01101001 01100111 01101001
01110100 01100001 01101100 00110101 00110011
00110001 00101110 00110110 00110100 00110010
00110011 01000010 00111001 01000011 00110101
01000010 01000101 00111001 00110000 00110000
00110000 00110101 01000100 00110111 00110101
00110011 00110001 01110011 01101111 01110101
01110010 01100011 01100101 00100000 01101101
01100101 01100100 01101001 01100001 00100000
01110011 01100001 01110100 01101111 01110011Converting the bytes to ASCII, we obtain:
hi 5.FD26CE012A42FCE31wife zero zoo6451.FBB124DBB4B1528B6x4acid curve juggling522.41878742364D40B14damp obey digital531.6423B9C5BE90005D7531source media satosWe can see that the text contains a mixture of juggling notations, hexadecimal private key parts, and words. We are immediately tempted to join the fragments of the private key, but it must be 64 characters long to form a valid string, and each part starting after the dot is just over 16 characters long.
Looking more closely, we realize that there’s always another juggling notation separating a private key part and a 3 words set. We can identify that the following pattern is repeated 4 times in a row:
[siteswap with dot] [16 hex chars] [siteswap no dot] [3 words]
5. | FD26CE012A42FCE3 | 1 | wife zero zoo
6451. | FBB124DBB4B1528B | 6x4 | acid curve juggling
522. | 41878742364D40B1 | 4 | damp obey digital
531. | 6423B9C5BE90005D | 7531 | source media satosThe notations look familiar?
All of these siteswaps were executed in the main video… However, not in that order.
Notations to the left of the hexadecimal appear in sequence in the second part of the IP:
6451. 5. 531. 522.
FBB124DBB4B1528B FD26CE012A42FCE3 6423B9C5BE90005D 41878742364D40B1The private key FBB124DBB4B1528BFD26CE012A42FCE36423B9C5BE90005D41878742364D40B1 generates the Ethereum address containing the mystic Axie!
Applying the same logic to the word sets, the notations appear in the first part of the IP until the beginning of the second part:
6x4 4 1 7531
acid curve juggling damp obey digital wife zero zoo source media satosThe correct word sequence is probably the password for the last .RAR file, so we can now start testing possible passwords. If we pay attention, most words are part of the BIP39 wordlist, with exception of juggling and satos, although the password accepts “anything”, but satos should probably be replaced by satoshi which is a valid word, and Satoshi is also is in the video’s acknowledgments.
Following the puzzle tradition of avoiding spaces, we finally managed to open the last .RAR with the password:
acidcurvejugglingdampobeydigitalwifezerozoosourcemediasatoshiInside, the default_wallet file allowing access to the last prize of 100,000 LBC!
