eps2.0_unm4sk-pt1.tc Hunt Writeup

The other night, fsociety “hacked” the Mr. Robot Facebook AMA Live Stream to leak unm4sk-pt1.tc, several days before the official release date.

As I suspected, the video contained easter eggs through the screened code. Let the scavenger hunt begin! [S02E01 spoilers ahead]

1|Darlene’s Cryptowall - First off, kudos to the production for writing in SET (https://github.com/trustedsec/social-engineer-toolkit.git) on Kali (she’s running one of the 1.* versions).

I always fangirl when recognizing real tools/frameworks on-screen, so it was awesome to see Darlene using this to compile her ransomware payload.

Anyways, I immediately retrieved 192.251.68.254 to http://i239.bxjyb2jvda.net and was greeted with a giant fsociety-edition Guy Fawkes mask gif, with a CryptoLocker-esque message saying all my files had been encrypted, with a 24 hour timer.

Ransomwares tend to provide an ultimatum, something along the lines of “SEND US BITCOIN$ IN 24 HOURS OR WE WILL DESTROY THE PRG KEY AND SEND YOUR DATA DOWN RIVER STYX!”

This iteration however, did not say anything more than:

I don’t know about you, but I’m not waiting 24 hours to find out what happens!

So, I decided to hack time.

var q = ’PGRpdiBjbGFzcz0ib3ZlciI+PGRpdj4iSSBzaW5jZXJlbHkgYmVsaWV2ZSB0aGF0IGJhbmtpbmcgZXN0YWJsaXNobWVudHMgYXJlIG1vcmUgZGFuZ2Vyb3VzIHRoYW4gc3RhbmRpbmcgYXJtaWVzLCBhbmQgdGhhdCB0aGUgcHJpbmNpcGxlIG9mIHNwZW5kaW5nIG1vbmV5IHRvIGJlIHBhaWQgYnkgcG9zdGVyaXR5LCB1bmRlciB0aGUgbmFtZSBvZiBmdW5kaW5nLCBpcyBidXQgc3dpbmRsaW5nIGZ1dHVyaXR5IG9uIGEgbGFyZ2Ugc2NhbGUuIjwvZGl2PjxkaXYgY2xhc3M9ImF1dGhvciI+LSBUaG9tYXMgSmVmZmVyc29uPC9zcGFuPjwvZGl2PjwvZGl2Pg==’;

Poking around web_analytics.js, we can find function fire_beacon(), which returns `window.atob(q);` upon jquery.countdown.js’s completion.

In Javascript, atob() is a built-in function that decodes a string of data which has been encoded using base-64. Decoding var q provided me this ASCII string:

<div class=”over”><div>”I sincerely believe that banking establishments are more dangerous than standing armies, and that the principle of spending money to be paid by posterity, under the name of funding, is but swindling futurity on a large scale.”</div><div class=”author”>- Thomas Jefferson</span></div></div>

Protip: Stop Time by executing `debugger;`

2| Elliot’s Journal QR Code - Scribbled in lead, it is incompatible to the standard QR reader’s limits. I went ahead and recreated it by computer until my reader was able to decode it.

EDIT: My version was a dirty quickie; below is /u/teknogeek1’s far neater gridded bit-by-bit reconstruction:

The QR code resolves to www.conficturaindustries.com, a geocities replica site, complete with beloved Netscape 3.0 (August 19, 1996) elements.

Using website crawler software such as Burp’s Spider to map out the domain with requests reveals a basic access authentication page at stage.conficturaindustries.com. I’ll leave this stage up for you to explore, at your own legal risk. :-)

Last, but certainly not least, is my favorite: HTML body inspection unveils this commented-out classic: