Joining the FancyCat Club: HackMIT ‘14
On July 3rd, 2014, HackMIT registration opened. This time, though, we decided to put a twist on the normal hackathon admissions game. HackMIT admissions would be based on a random lottery; the only way for non-MIT students to guarantee admission would be to snag one of the fifty unique, one-use-only puzzle codes at the end of the puzzle. A puzzle code would be good for an entire team’s admission.
Now that registration is over, HackMIT is releasing the official, sanctioned guide to the HackMIT admissions puzzle here. Didn’t solve the puzzle? Give it a try first. If you get stuck, then come back and read this guide.
And shoutout to Michael Holachek, the HackMIT team member who wrote the puzzle in its entirety.
Part 1: CATMIT
The start to the puzzle was hidden on the HackMIT page. All you had to do was click on the “C” of “HACKMIT”:
And you would be taken to a page eerily similar, located at https://hackmit.org/6361746d6974:
Now, a lot of people got stuck on this page. They inspected the source code of the page, started searching, and found a hidden form!
This was a false trail. Everyone who did this discovered that postEmail() actually did nothing and promptly hit a dead end.
The real clue was not obvious from the source code. Instead, the real clue depended on a key component: sound. If you refreshed the page and listened to the sound that played, you heard these three sound files:
If you listen carefully to the second sound file, you will notice that it is the sound of DTMF (dual tone multi frequency) tones—the dial tones phones make when numbers are pressed. Specifically, ten tones are played. There are ten numbers in a phone number.
There are a variety of online and downloadable DTMF decoders that exist, but the dial tones translate into the following number: (224) 900-2583. Upon dialing this number, a voice greets you on the other end, and the next hint is read out loud:
Oh, what joy cats bring around.
With paws and meows and purrs abound.
Their petite size and cute faces
Lead us humans to give them much embraces.
GIFs and JIFs of cute animations
Will let them lay down the world’s new foundations.
Long live the cats!
After an extended pause, a helpful voice tells all those still listening to try searching Google for the answer!
Googling the entire poem in quotes leads you to the next part of the puzzle.
Part 2: Long live the cats!
The entire poem is online at http://hellopoetry.com/poem/744421/long-live-the-cats/. Closer inspection reveals the publishing user to be Cars Neilscat, and the poem tags to be #secret, #cats, and #map. Notice the link right above the tags:
[The link is http://www.mediafire.com/view/fjydb0mnj60ek7q/map.pdf]
The link leads to a 25-sheet pdf, which you’ll quickly recognize as a pdf QR code in 25 different sections.
After a bit of formatting, scanning this QR code brings you to http://4841434b.com/ and the next part of the puzzle.
Part 3: HexMania
This site is all about hashing and encoding. The home page give some information—interesting, but irrelevant to the puzzle. However, the important tab is the PUZZLE FOR YOU tab, which looks like the following:
There’s not much else to the site, unless you click on the HEX CONVERTOR tab, which features a Hex to ASCII convertor. Converting the provided Hex code to ASCII reveals the following clue:
The clue conveniently tells us exactly what to do with the giant hashed mess on the PUZZLE FOR YOU tab: we just have to find a line that fits the clue. In other words, given a line in the puzzle, if we add the line above and below that line and hash the result, it should give us the answer.
I used python, which has a nice hashing library called hashlib. My code was as follows:
Since each visitor to the page is greeted with a unique hashing puzzle, you needed to have written this python script to find the answer to your particular puzzle. After inputting this answer to the CHECK IT! tab, you received a link to the last part of the puzzle: http://fancycat.club/.
Part 4: CatGIF Control Server
[UPDATE: The FancyCat club has been closed due to comment trolling. However, if you are still curious how one would hack into the site, keep reading.]
Navigating to http://fancycat.club/ brings up the following page:
Clicking on “tuna” in the box in the upper right hand corner of the page brings you to the mrtinkles/fancycat GitHub repo. There were two ways to find a valid username (“Meow ID”) and password combination.
First, you could look at the commit history of the repo. The fifth commit adds a file called DONTREADME.md, which looks like the following:
DONTREADME.md is removed with the next commit, so can’t be seen in the repo at its current state. However, “oreo” and “ILOVEMITTENS” are a valid username and password combination.
Alternatively, you could clone the repo and take a look at the SQLite database of fancycat.club. Specifically, you’ll see there’s a db.sqlite3 file; we can access the database and poke around:
Looking at all of the tables in the database reveals a promising table “auth_user.” Closer inspection shows usernames and md5 hashes of their passwords. A quick Google search reveals that md5 hashes can be un-hashed. I used an md5 decrypting website to unhash a few of the passwords, revealing the following potential username and password combinations:
mrtinkles — mousetrap
mittens — catman
amber — catgif
Finally, we enter any one of these username and password combinations into the fancycat.club login page and are presented with the following catgif main page:
Clicking on any one of the links brings you to a page with a secret code. ☺