Pixels Camp Quizshow Challenge #1
Or how the Quiz Master goes on punishing us with his evil ways…
The Pixels Camp Quizshow qualifiers started in early September. The first challenge opened on Friday the 4th — as millions of voices called out in terror for the upcoming loss of productivity — and closed on Monday the 12th with 28 participants having submitted correct answers.
The challenge was a treasure hunt, where you go from one step to the next by deciphering the clues carefully devised by the Quiz Master to throw you off-track and into hours of head-scratching. As usual some lateral thinking is required — and a thick scalp too.
I solved it over the following weekend and this is my story. It all starts with an animated GIF…
The lights on the wall spell “tinyadjlgewpadf”. From past challenges I’m already expecting an URL shortener to make an appearance at some point and, surely enough, the “tiny” bit shows this might be the case:
It redirects to a downloadable audio file on Dropbox…
The name of the file is “beep.wav” and it contains a sequence of 12 beeps, the beeps being actually DTMF tones. After a while being led astray by broken online decoders, the tones spell “052166250182”.
Hmm… 12 digits fit nicely into 4 groups of 3 digits. Is it an IPv4 address?
$ curl -s http://220.127.116.11
At “18.104.22.168” there’s just the default nginx landing page. The same page you get right after installing it, or so it seems. Upon closer inspection, a strange HTTP response header can be seen:
It has the right number of characters (32) for a 128 bit number in hexadecimal notation and starts with “2001”, which I recognize as a common prefix for an IPv6 address.
With no IPv6 at home, I could have configured a quick tunnel using miredo, but I have a remote CentOS virtual machine with native IPv6 on Digital Ocean, so I used that instead. I ended up using it for most of the following steps, for some reason.
$ curl -g -6 'http://[2001:41c8:51:187:badd:ecaf:dead:beef]'
This outputs the following:
keep going, run the gauntlet</body>
This time the HTTP response headers provide no clues, but that fake XML transformation in the closing “html” tag does. It’s a reference to xsl.pt, another URL shortener service.
It needs some token and I’d wager the token is part of the message. There is some word alignment going on and after some (a lot) more head-scratching:
$ curl -s http://runthegauntlet.xsl.pt
But this doesn’t return a normal answer, instead it dumps 15 bytes of binary garbage to the console.
That garbage must have some hidden meaning, so I spent a while inspecting it left-and-right with the help of “hexdump” to no avail. Then someone else suggested “xxd -ps” and googling the output for ideas.
$ curl -s http://runthegauntlet.xsl.pt | xxd -ps
The string “000006040000000000000300000064” appears in some bug report related to a Ruby library, but it doesn’t seem like anything I can use. It does suggest that this might be related to HTTP/2.
Indeed, “curl -v” shows no response headers. Actually, the response has nothing but those 15 bytes. Let’s try nghttp2 on it:
$ nghttp http://runthegauntlet.xsl.pt:80/
It’s important to mention that browsers don’t work any better than “curl” because they refuse to support non-encrypted HTTP/2. This might have led some to believe that the browser’s behavior of downloading the 15 bytes as a file meant the bytes themselves contained the answer.
Another pitfall with this step relates to the level of HTTP/2 required to move forward: the interesting part of the output is actually sent using server push. I got lucky by using “nghttp” right away — I’d already used it in the past for testing — but some went for less featureful implementations like hyper and got stuck in a dead end for a while.
<p>like this new fangled http ? this seems like a dead end but isn’t.
<p> there are other people also trying to replace the web protocol with another more open for the ages
What’s that last line? The body text seems to imply something like QUIC, but the “token” doesn’t look useful for anything related to that.
Again, googling bits of the text for ideas turned up something useful: random references to IPFS. And… it does look like an IPFS peer identity.
$ ipfs cat /ipfs/QmRJ9yhruRTTVCyui13KYQvFKhw9BKdWZMKE2oCAQneudY
It’s a torrent file, and the file it references contains the following:
you got here because a swarm of people helped you.
it’s good to have a network of friends. friends are free.tWM1O56uqYw-WwXIgSnXsfYMI-UHq7AmHu6OnritvYI,B2TkhYDxqbcwsAI9lK48cT5WVQeDBRSjJiPTOBOf25A,AQACAAE/hackthegibson/2/
Notice the words “network” and “free” in the text? I didn’t, but some more googling to get ideas going suggested a Freenet address. On to install the client then…
Something’s missing. Looks like Freenet addresses must have a prefix and trying the four possible ones is leading nowhere: the client either finds no file or throws Java exceptions. Uh!
Browsing a bit assures me that everything is working properly. So I tried the various prefixes again and got a hit this time:
Errrm… let’s not dwell into this. Whatever it was, it worked. Just examine the file contents:
now join the ancient northern mosaic and remember, hack the gibson9986
The ancient northern mosaic, right… Let’s think about this a bit…
The Gibson is a supercomputer from the movie Hackers — named after William Gibson, the writer — and the ancient browser NCSA Mosaic comes from the National Center for Supercomputing Applications which is in northern USA. As logical at this may sound, it doesn’t help getting someplace where the next hint may lie.
I’m already feeling old at this point for remembering what NCSA means and where it is physically located, but something else comes to mind that makes me feel even older: back in the late 90’s some of my college friends used to spend all day playing MUDs, one of which was called MOOsaico. I never logged into a MUD myself but the name stuck for some reason. I wonder…
Turns out MOOsaico is still active and is operated by Universidade do Minho, which is located as far North as you can get in Portugal. And it is ancient by our standards: it has been active for 22 years since 1994.
There’s some exploring to do first:
> @connect guest
> @who chbm
> @who gibson
> @who #9986
Seems like our Quiz Master last connected the day before, I’m definitely in the right place, but there is no such user named “gibson” and none with ID “#9986” either. What else is there to hack?
Seems like someone created a user named “gibson” afterwards, but there was no such user at the time.
From the documentation I gather rooms have IDs as well…
> @go #9986
f.socYou see the gibson here.
Aha! Lets “examine the gibson” for clues:
> examine the gibson
a plain box
Really, a box? Hmm, maybe I should open it:
> open the gibson
--—-> congrats #21231 — you made it to f.soc. you are in. this is your challenge answer. paste it as is into your response file and close the gibson back for the next guy <----
Yes! That’s it, lets “close the gibson” and submit the answer:
$ git checkout challenge1
$ vim answer1.txt
$ git commit -a -m “Finished the 1st challenge”
$ git push
All in all, it was a hard challenge, but also a fun one. As usual it took us through some of the deep and obscure parts of the Internet while learning some new stuff in the process.