Uncovering Cicada Wiki
Register
Advertisement


TOR 2.2 PAGE IS DIFFERENT

Tor page changed again. We noticed the change at about: 06:31 AM 14.1.2013 (GMT)

<html>
<head><title>3301</title></head>
<body>
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You already have everything you need to continue.

Sometimes one must "knock on the sky and listen to the sound."

Good luck.

3301

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJQ85gbAAoJEBgfAeV6NQkP6joP/iHzBMvK6YZO24wv24RtstGJ
dEMrC9BjtUhrB+F0++sHqWeYuueZ37bDstIoh6EOenRHpECD0QBPTc40aUl2Op1L
4NuUVCUQvfqo/kdWBmSdTP4xGoCtwcXoISfhSM/i+wXqRONSy4z0FrXA3N9yxFaK
eqlNk47aZvyWWHcyYACUEar/V4kfGo8j58r2CisnfeNwat6I6ZfL9P370UVJQyG1
a0WV7rF015TLbwAJkwI1jX7GLPWOkRK3lP8qLJJodNvMPSSyUPyPB01ElgBopm+t
U9bQb/wIGtGG74ezUvwhtDGtXJLWllZtrZx82mQQWzzn8hReqqX0T35idJlTfxIz
aZDNjLCOQJZCngmXEN7iz47w/g67BQ5eoa6iEj7blFwzMwVO7M7pL+L6LZLnuXml
Zv1oDNCuENrIo4j8VGLro9pLptiilsUA6xFRS9bfE7qeeBfmS4J8DScOddzLYNVv
5fKd6iaLJoAqJGkcKnAWPl5VViDhYRL0z1N80zpjm1cWtPBIS2odLMZT80VfMYQI
8XXaEmRqoP8/9EImapqeSk+qcrUkT1+2opKRTOf7754ptjvJq31jQJgeY2gKGtp1
jPXZiu9Pp3QQ5cRKIWIIdOFvcrVtIZ/P3OYhT0p4Z+L13fScUbr/kxI6KcZmY/1D
Szqzyr8SW7zRz1ypGffc
=UPkJ
-----END PGP SIGNATURE-----</pre>
</body>
</html>


PGP message from the above text:

PGP-Signed Message
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You already have everything you need to continue.

Sometimes one must "knock on the sky and listen to the sound."

Good luck.

3301

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJQ85gbAAoJEBgfAeV6NQkP6joP/iHzBMvK6YZO24wv24RtstGJ
dEMrC9BjtUhrB+F0++sHqWeYuueZ37bDstIoh6EOenRHpECD0QBPTc40aUl2Op1L
4NuUVCUQvfqo/kdWBmSdTP4xGoCtwcXoISfhSM/i+wXqRONSy4z0FrXA3N9yxFaK
eqlNk47aZvyWWHcyYACUEar/V4kfGo8j58r2CisnfeNwat6I6ZfL9P370UVJQyG1
a0WV7rF015TLbwAJkwI1jX7GLPWOkRK3lP8qLJJodNvMPSSyUPyPB01ElgBopm+t
U9bQb/wIGtGG74ezUvwhtDGtXJLWllZtrZx82mQQWzzn8hReqqX0T35idJlTfxIz
aZDNjLCOQJZCngmXEN7iz47w/g67BQ5eoa6iEj7blFwzMwVO7M7pL+L6LZLnuXml
Zv1oDNCuENrIo4j8VGLro9pLptiilsUA6xFRS9bfE7qeeBfmS4J8DScOddzLYNVv
5fKd6iaLJoAqJGkcKnAWPl5VViDhYRL0z1N80zpjm1cWtPBIS2odLMZT80VfMYQI
8XXaEmRqoP8/9EImapqeSk+qcrUkT1+2opKRTOf7754ptjvJq31jQJgeY2gKGtp1
jPXZiu9Pp3QQ5cRKIWIIdOFvcrVtIZ/P3OYhT0p4Z+L13fScUbr/kxI6KcZmY/1D
Szqzyr8SW7zRz1ypGffc
=UPkJ
-----END PGP SIGNATURE-----


http://prntscr.com/p4iat TOR Page

http://prntscr.com/p4dz2 PGP onion2.2

TOR 2.1 (when it changed first time)

As of 1/11 2013, the Tor 2 page, found on http://xsxnaksict6egxkq.onion/, is back up. The onion link, hereafter refered to as 'the tor page', had previously featured following piece of source code:

<html>
	<head><title>3301</title></head>
	<body>
		Patience is a virtue.
	</body>
</html>

This had changed when the site reopened at approximatly 2:00 AM (GMT +1), and is still (5:14 PM, GMT +1) showing the following:

<html>
	<head><title>3301</title></head>
	<body>
		Welcome back.
	</body>
</html>

In short, the text has been changed into 'Welcome back', while the header remains the same. The hidden hint in the source code has been removed, and not replaced by a new one.


TOR 2 PAGE IS DOWN


I have no idea when that happened or what triggered it.

Note that first tor page also chenged shortly after we discovered it.


There is a theory that the onion2 page leaked its linode hostname via an Apache error page. Shortly afterwards the server became unavailable on port 81 (original clearnet port), and then completely went down on all ports.

It was decided by a handful to call Linode and find out whether the server has been terminated or is just shut down. Absence_ on IRC was kind enough to make the call through which it was deduced that the server was still active (an active profile existed for the IP).

Also a scan of ports 80 and 81 in the linode subnet was performed by Tech1. It is believed that both onion1 and onion2 are hosted on linode and may have been registered together, thus a high probability of sharing a subnet. At the time of writing only xx.xx.xx.110 had port 81 open, a full portscan is in progress (6379, 12003, 80, 22 for now). This IP is probably unrelated and irrelevant to the quest. Port 6376 had Redis running, fully functional and unauthenticated with a bunch of clients connected, had ad related settings/logs on it. Discontinuing persuit.


Aprox. time when tor  2 was taken down

[2013-01-07 18:52:10] <Ymgve> did they just kill it
[2013-01-07 18:52:19] <lull> is it down?
GMT


Leaked adress of TOR 2

$ nc -x localhost:9050 xsxnaksict6egxkq.onion 80

abc


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h*1>Method Not Implemented</h*1>
<*p>abc to /index.html not supported.
<*/p>
<*hr>
<address>Apache/2.2.22 (Ubuntu) Server at li528-4.members.linode.com Port 81</address>
</body></html>

Selfdoxing onion hidden service:


Whois and other Links

http://li528-4.members.linode.com:81/
http://www.netip.de/dns?domain=li528-4.members.linode.com
http://ip-lookup.net/index.php?ip=106.186.17.4
http://sebsauvage.net/paste/?f3711ebf6e2dc1c6#M1GlAKqRsjv3/Rj8IO+ET1d0KhMPlit8yHrMVdo3BxU=
http://cnet.robtex.com/106.186.17.html
http://webcache.googleusercontent.com/search?q=cache:KEMFPtY38R8J:torstatus.info/router_detail.php%3FFP%3D4ac4f47e829ebba21da77ff221bc4f72573632db+li528-4.members.linode.com&cd=6&hl=en&ct=clnk&client=browser-ubuntu
http://106.186.17.4:81/ odd that port 80 is closed

Wisdom and Folly

WE found two files wisdom and folly in /tmp map in CICADA OS

http://codeseekah.com/cicada/folly
http://codeseekah.com/cicada/wisdom
http://codeseekah.com/cicada/folly.32.txt
wisdom and folly are the same, identical files

Map stucture: http://i.imgur.com/Tywuz.png

Files have not yet been used to produce any usable lead.

New message found

You can't see the forest when you're looking at the trees.

Good luck.

3301


Paste:

https://pastee.org/2zae9

How to get it:

"hint" xor the _560 file from DATA

"hint" is hidden command in telnetting TOR 1  
output of "hint"

http://pastebin.com/raw.php?i=tbbZd5vy

https://pastee.org/tjdbs

PGP legit   
http://prntscr.com/ohvt6

ONION LINKS AND WAY TO GET TO THEM

===Gematria Primus table and Black Cicada png===
Basicly (all this  is ymgves work btw)

  • twitter xored with 761.MP3 is jpg

testout.jpg Gramatrira Primus

https://dl.dropbox.com/u/1593421/3301/stage1.jpg


primitive counter for the above is at http://codeseekah.com/cicada/count.html (coded to match onion1 console "count" command in output, including merging, ordering and stripping)


  • twitter xor mp3 xor 560.13 gives base64 that when decoded is png

outt.png Black cicada png

https://dl.dropbox.com/u/1593421/3301/outt.png


Output was  much larger than BASE64 needed for png, so it was padded with filler. Part of file after base64 contain only repeating string: 3301033010330103301033010...

We didnt have all tweets yet, but because  there is repeating 330103301033010... after BASE64 ymgve was able to calculate all the tweets out of that "equation":
twitter xor mp3 xor 560.13 = base64 that is png

(he filled base 64 with filler and "reverse" XORED it back (XOR is its own inverse))
{| class="msg-table" role="log"
|- class="msg"
| class="msg-data"|
: <Lurker69> Ymgve: so you actually outsmarted cicada and calculated tweets in advance...

<Ymgve> I think they intended for us to be able to
<Ymgve> if not the padding might be more irregular
|- class="msg"
| class="msg-timestamp"|
| class="msg-user"|
| class="msg-data"|
|}
When he got all the tweets feed.  We were able to construct whole the jpg file.

Then we were able to outguess it

Outgess of GAMATRI PRIMUS jpg
http://pastebin.com/UA5xDk7s

PGP confirmed.

[1]

FIRST ONION PAGE

http://pastebin.com/UA5xDk7s

Message embedded as tabs/spaces
binary to ascii    20 = 0, 09 = 1

"Come to emiwp4muu2ktwknf.onion"

"We shall await you there."

"Good luck."
"3301"

https://pastee.org/tqycs

http://emiwp4muu2ktwknf.onion/

Onion page loked like that, at first it was 2/3 of cicada lated ti was whole cicada. We dont know what triggered the change.

onion v1

File:http://prntscr.com/oejfg

onion v2

http://img94.imageshack.us/img94/2627/d436f4de14464afdb6eb3fb.png

Beacause
Web browsers are useless here.


People with linux started telneting the page. Meanwhile people with windows were  gaming like mad.

nc -x localhost:9050 emiwp4muu2ktwknf.onion 80

elp, [number], count [number], hello

ount [phrase]: calculate the number value of the phrase based on the table you had in the image

Also, it factorizes numbers      10   2 5            20    2 2 5

<brotherBox> count a   97*       count b   61+         count c  13*

I think this came from telnet:

hello

http://pastebin.com/ZmFQ8ND2

http://pastebin.com/uCTgE2KA

then some magic (hex to ascii)  happened and we got this

http://pastebin.com/J8AadNf4

PGP confirmed

http://i.imgur.com/1Y4KR.png

ONION 2

http://i.imgur.com/1Y4KR.png

http://i.imgur.com/OWtCa.png

http://pastebin.com/hR0MY2j0
http://i.imgur.com/J7Zfv.jpg

<html>

        <head><title>3301</title></head>

        <body>

                Patience is a virtue.

                <*!-- which means, come back soon. -->

        </body>

</html>



OUTDATED: Both onion pages are up and working. Tweeter is still feeding tweets but we dont need them anymore since Ymgve calculated all the tweets that will be posted in future, with his xor sorcery.

Now we have to learn how to use telnet and figure out what it is doing.

WHAT WE'RE LOOKING FOR (XORing)

[22:00] <@soulseekah> expect PNG: 3603 8e8b 926c 8984

[22:00] <@soulseekah> expect PGP: 927e ede1 b224 d6c9 c90d c894 f9cf 29

[22:00] <@soulseekah> expect JPG: 408b 3f2c 9f76 d9c8 c905


[22:14] <@soulseekah> looking for anythign that could decrypt wisdom/folly to start with 


BEGIN PGP SIGNED MESSAGE-----

[22:15] <@soulseekah> or LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ if in base64

RUNES

http://www.vikingrune.com/rune-converter/?r_sentence=cthulhu&r_alpha=1&submit;=Convert

http://www.sunnyway.com/runes/write_in_runes.html

Runes in the table appears to be two different sorts left column are Germanic (Elder Futhark)  right column are Scandinavian (Short Twig)  http://prntscr.com/oecyv  http://prntscr.com/oectu

TWEETER FEEDS

<table class="msg-table" role="log"
|- class="msg"
| class="msg-timestamp"|
| class="msg-user"|
| class="msg-data"|
|}>

<table class="msg-table" role="log"
|- class="msg"
| class="msg-timestamp"|
| class="msg-user"|
| class="msg-data"|http://www.allmytweets.net/?screen_name=1231507051321
http://codeseekah.com/cicada/tweets.html
view-source:http://codeseekah.com/cicada/out.hex.32.html
|- class="msg"
| class="msg-timestamp"|
| class="msg-user"|
| class="msg-data"|
|- class="msg"
| class="msg-timestamp"|
| class="msg-user"|
| class="msg-data"|
|}>

|

Advertisement