TOR 2.2 PAGE IS DIFFERENT
Tor page changed again. We noticed the change at about: 06:31 AM 14.1.2013 (GMT)
<html> <head><title>3301</title></head> <body> <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You already have everything you need to continue. Sometimes one must "knock on the sky and listen to the sound." Good luck. 3301 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJQ85gbAAoJEBgfAeV6NQkP6joP/iHzBMvK6YZO24wv24RtstGJ dEMrC9BjtUhrB+F0++sHqWeYuueZ37bDstIoh6EOenRHpECD0QBPTc40aUl2Op1L 4NuUVCUQvfqo/kdWBmSdTP4xGoCtwcXoISfhSM/i+wXqRONSy4z0FrXA3N9yxFaK eqlNk47aZvyWWHcyYACUEar/V4kfGo8j58r2CisnfeNwat6I6ZfL9P370UVJQyG1 a0WV7rF015TLbwAJkwI1jX7GLPWOkRK3lP8qLJJodNvMPSSyUPyPB01ElgBopm+t U9bQb/wIGtGG74ezUvwhtDGtXJLWllZtrZx82mQQWzzn8hReqqX0T35idJlTfxIz aZDNjLCOQJZCngmXEN7iz47w/g67BQ5eoa6iEj7blFwzMwVO7M7pL+L6LZLnuXml Zv1oDNCuENrIo4j8VGLro9pLptiilsUA6xFRS9bfE7qeeBfmS4J8DScOddzLYNVv 5fKd6iaLJoAqJGkcKnAWPl5VViDhYRL0z1N80zpjm1cWtPBIS2odLMZT80VfMYQI 8XXaEmRqoP8/9EImapqeSk+qcrUkT1+2opKRTOf7754ptjvJq31jQJgeY2gKGtp1 jPXZiu9Pp3QQ5cRKIWIIdOFvcrVtIZ/P3OYhT0p4Z+L13fScUbr/kxI6KcZmY/1D Szqzyr8SW7zRz1ypGffc =UPkJ -----END PGP SIGNATURE-----</pre> </body> </html>
PGP message from the above text:
http://prntscr.com/p4iat TOR Page
http://prntscr.com/p4dz2 PGP onion2.2
TOR 2.1 (when it changed first time)
As of 1/11 2013, the Tor 2 page, found on http://xsxnaksict6egxkq.onion/, is back up. The onion link, hereafter refered to as 'the tor page', had previously featured following piece of source code:
<html> <head><title>3301</title></head> <body> Patience is a virtue. </body> </html>
This had changed when the site reopened at approximatly 2:00 AM (GMT +1), and is still (5:14 PM, GMT +1) showing the following:
<html> <head><title>3301</title></head> <body> Welcome back. </body> </html>
In short, the text has been changed into 'Welcome back', while the header remains the same. The hidden hint in the source code has been removed, and not replaced by a new one.
TOR 2 PAGE IS DOWN
I have no idea when that happened or what triggered it.
Note that first tor page also chenged shortly after we discovered it.
There is a theory that the onion2 page leaked its linode hostname via an Apache error page. Shortly afterwards the server became unavailable on port 81 (original clearnet port), and then completely went down on all ports.
It was decided by a handful to call Linode and find out whether the server has been terminated or is just shut down. Absence_ on IRC was kind enough to make the call through which it was deduced that the server was still active (an active profile existed for the IP).
Also a scan of ports 80 and 81 in the linode subnet was performed by Tech1. It is believed that both onion1 and onion2 are hosted on linode and may have been registered together, thus a high probability of sharing a subnet. At the time of writing only xx.xx.xx.110 had port 81 open, a full portscan is in progress (6379, 12003, 80, 22 for now). This IP is probably unrelated and irrelevant to the quest. Port 6376 had Redis running, fully functional and unauthenticated with a bunch of clients connected, had ad related settings/logs on it. Discontinuing persuit.
Aprox. time when tor 2 was taken down
[2013-01-07 18:52:10] <Ymgve> did they just kill it [2013-01-07 18:52:19] <lull> is it down? GMT |
||
Leaked adress of TOR 2 $ nc -x localhost:9050 xsxnaksict6egxkq.onion 80 abc <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Method Not Implemented</title> </head><body> <h*1>Method Not Implemented</h*1> <*p>abc to /index.html not supported. <*/p> <*hr> <address>Apache/2.2.22 (Ubuntu) Server at li528-4.members.linode.com Port 81</address> </body></html> |
||
Selfdoxing onion hidden service:
Whois and other Links |
http://li528-4.members.linode.com:81/
http://www.netip.de/dns?domain=li528-4.members.linode.com
http://ip-lookup.net/index.php?ip=106.186.17.4
http://sebsauvage.net/paste/?f3711ebf6e2dc1c6#M1GlAKqRsjv3/Rj8IO+ET1d0KhMPlit8yHrMVdo3BxU=
http://cnet.robtex.com/106.186.17.html
http://webcache.googleusercontent.com/search?q=cache:KEMFPtY38R8J:torstatus.info/router_detail.php%3FFP%3D4ac4f47e829ebba21da77ff221bc4f72573632db+li528-4.members.linode.com&cd=6&hl=en&ct=clnk&client=browser-ubuntu
http://106.186.17.4:81/ odd that port 80 is closed
Wisdom and Folly
WE found two files wisdom and folly in /tmp map in CICADA OS
http://codeseekah.com/cicada/folly
http://codeseekah.com/cicada/wisdom
http://codeseekah.com/cicada/folly.32.txt
wisdom and folly are the same, identical files
Map stucture: http://i.imgur.com/Tywuz.png
Files have not yet been used to produce any usable lead.
New message found
You can't see the forest when you're looking at the trees. Good luck. 3301
Paste:
How to get it:
"hint" xor the _560 file from DATA
"hint" is hidden command in telnetting TOR 1
output of "hint"
http://pastebin.com/raw.php?i=tbbZd5vy
PGP legit
http://prntscr.com/ohvt6
ONION LINKS AND WAY TO GET TO THEM
===Gematria Primus table and Black Cicada png===
Basicly (all this is ymgves work btw)
- twitter xored with 761.MP3 is jpg
testout.jpg Gramatrira Primus
https://dl.dropbox.com/u/1593421/3301/stage1.jpg
primitive counter for the above is at http://codeseekah.com/cicada/count.html (coded to match onion1 console "count" command in output, including merging, ordering and stripping)
- twitter xor mp3 xor 560.13 gives base64 that when decoded is png
outt.png Black cicada png
https://dl.dropbox.com/u/1593421/3301/outt.png
Output was much larger than BASE64 needed for png, so it was padded with filler. Part of file after base64 contain only repeating string: 3301033010330103301033010...
We didnt have all tweets yet, but because there is repeating 330103301033010... after BASE64 ymgve was able to calculate all the tweets out of that "equation":
twitter xor mp3 xor 560.13 = base64 that is png
(he filled base 64 with filler and "reverse" XORED it back (XOR is its own inverse))
{| class="msg-table" role="log"
|- class="msg"
| class="msg-data"|
: <Lurker69> Ymgve: so you actually outsmarted cicada and calculated tweets in advance...
- <Ymgve> I think they intended for us to be able to
- <Ymgve> if not the padding might be more irregular
|- class="msg"
| class="msg-timestamp"|
| class="msg-user"|
| class="msg-data"|
|}
When he got all the tweets feed. We were able to construct whole the jpg file.
Then we were able to outguess it
Outgess of GAMATRI PRIMUS jpg
http://pastebin.com/UA5xDk7s
PGP confirmed.
FIRST ONION PAGE
Message embedded as tabs/spaces
binary to ascii 20 = 0, 09 = 1
"Come to emiwp4muu2ktwknf.onion" "We shall await you there." "Good luck." "3301"
http://emiwp4muu2ktwknf.onion/
Onion page loked like that, at first it was 2/3 of cicada lated ti was whole cicada. We dont know what triggered the change.
onion v1
onion v2
http://img94.imageshack.us/img94/2627/d436f4de14464afdb6eb3fb.png
Beacause
Web browsers are useless here.
People with linux started telneting the page. Meanwhile people with windows were gaming like mad.
nc -x localhost:9050 emiwp4muu2ktwknf.onion 80
elp, [number], count [number], hello
ount [phrase]: calculate the number value of the phrase based on the table you had in the image
Also, it factorizes numbers 10 2 5 20 2 2 5
<brotherBox> count a 97* count b 61+ count c 13*
I think this came from telnet:
hello
then some magic (hex to ascii) happened and we got this
PGP confirmed
ONION 2
http://pastebin.com/hR0MY2j0
http://i.imgur.com/J7Zfv.jpg
<html> <head><title>3301</title></head> <body> Patience is a virtue. <*!-- which means, come back soon. --> </body> </html>
OUTDATED: Both onion pages are up and working. Tweeter is still feeding tweets but we dont need them anymore since Ymgve calculated all the tweets that will be posted in future, with his xor sorcery.
Now we have to learn how to use telnet and figure out what it is doing.
WHAT WE'RE LOOKING FOR (XORing)
[22:00] <@soulseekah> expect PNG: 3603 8e8b 926c 8984
[22:00] <@soulseekah> expect PGP: 927e ede1 b224 d6c9 c90d c894 f9cf 29
[22:00] <@soulseekah> expect JPG: 408b 3f2c 9f76 d9c8 c905
[22:14] <@soulseekah> looking for anythign that could decrypt wisdom/folly to start with
BEGIN PGP SIGNED MESSAGE-----
[22:15] <@soulseekah> or LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ if in base64
RUNES
http://www.vikingrune.com/rune-converter/?r_sentence=cthulhu&r_alpha=1&submit;=Convert
http://www.sunnyway.com/runes/write_in_runes.html
Runes in the table appears to be two different sorts left column are Germanic (Elder Futhark) right column are Scandinavian (Short Twig) http://prntscr.com/oecyv http://prntscr.com/oectu
TWEETER FEEDS
<table class="msg-table" role="log"
|- class="msg"
| class="msg-timestamp"|
| class="msg-user"|
| class="msg-data"|
|}>
<table class="msg-table" role="log"
|- class="msg"
| class="msg-timestamp"|
| class="msg-user"|
| class="msg-data"|http://www.allmytweets.net/?screen_name=1231507051321
http://codeseekah.com/cicada/tweets.html
view-source:http://codeseekah.com/cicada/out.hex.32.html
|- class="msg"
| class="msg-timestamp"|
| class="msg-user"|
| class="msg-data"|
|- class="msg"
| class="msg-timestamp"|
| class="msg-user"|
| class="msg-data"|
|}>
|