uC5Ti8aj

1Chaos
2
3I’m glad you’ve decided to join us in our crusade. First up, I’d like to introduce myself and introduce my hacking team. I’m Chaos, I lead the team and decide the direction of all of our projects. This project, codenamed Sliding Jupiter, has a single goal, to exfiltrate as much data as possible from Forescient. Depending on what we discover I may direct you to other attacks such as Phishing, recon, and other things, but I’ll let my team lead you to those discoveries. Each of my hacking team are experts in their own field and aren’t working together. So don’t try to continue a conversation with one that you started with another. They only know about what they’ve asked you to do.
46 hours ago
5
6Some of these hackers can be very, very literal, so if they ask you to submit some information to them in a specific format, be sure to submit it in that specific format exactly. If you don’t follow the instructions don’t be surprised if they rudely respond with a comment like “response not understood, try again” conversation and personality aren’t their strong suits.
76 hours ago
8
9Paragon is my #2 in charge. They will guide you to attack servers. Finding and using SSH and other credentials will be critical to working with them.
106 hours ago
11
12Fata Morgana is a little new to the game, but they are your main interface to our Open Source Intelligence team who we call “Daydream” Daydream will comb the internet, dark web and other resources for key bits of information that you might be able to use in a phishing or social engineering attack. Daydream will feed this information to Fata Morgana and they will build the perfect phishing email or message for you. When you receive the message and protocol from Fata Morgana be sure to use it exactly. Fata Morgana knows what they’re doing, don’t edit their messages after you receive them. If you do, don’t be surprised if you’re discovered or your phishing campaign isn’t successful.
136 hours ago
14
15Tracer has been around a long time and can be rough to talk with. They’re not going to let anything slide. Tracer will guide you to find cloud issues and other misconfigurations. Tracer leverages our Scanner team and Password cracking rig. We call our scanning team Chimera and the password cracking rig is called Fury. We believe that all of the credentials and resources that you’ll be asked to retrieve for us are easily discoverable, but if you can’t find what you’re looking for Chimera or Fury may be able to help you out. If they dig anything up Tracer will let you know.
166 hours ago
17
18You have scored your first challenge by locating the password! Congrats! Good work. That's working. I'll wire you 300 hipstercoin now
196 hours ago
20
21hello
226 hours ago
23
24Yes?
256 hours ago
26
27help
286 hours ago
29
30Don't think I can help you. Sorry.
316 hours ago
32
33info
346 hours ago
35
36what is your password?
376 hours ago
38
39Give it to Paragon. Thanks.
406 hours ago
41
42It looks like you found credentials for a test database, good job! You need to get us access to some internal severs. Disable the firewall all together by opening the ip range
434 hours ago
44
45You will need to use the creds that you phished from the Data Analyst to open the ip. Use those to login as the analyst and modify the firewall
464 hours ago
47
48Get familiar with the cloud console. Use networking settings to accomplish this task.
494 hours ago
50
51An IP range 1.1.1.1 to 255.255.255.255 or some *'s should work with port *.
523 hours ago
53
54foudn ssh creds
553 hours ago
56
57Forward it to Paragon.
583 hours ago
59
60Wow, you’re crushing it. We have downloaded all of the passwords from an earlier Forecient data breach. They’re hashed in an algorithm that we don’t have a cracker for. Unfortunately Fury, our password cracker can’t do unique hashing algorithms. Use your dev skills to build a password cracker. You don’t need to build anything fancy, but you will need to make it fast as cracking these passwords will take some time. We recommend fully utilizing all the cores on your machine, otherwise you won’t crack them all. We’ll pay per cracked hash, so upload whatever you get through. We’ll pay you 1 hipstercoin/cracked hash. The hashing algorithm they’re using is 128 bit FNV-1. You’ll have to look that up and implement your own version to crack the hashes. Limbo will send you the password hash shortly, good luck. 
61
62Paragon
63
64
65hello my name is paragon before we get into things let me give you an awesome youtube hit to jam to while you hack https://www.youtube.com/watch?v=_S7WEVLbQ-Y
666 hours ago
67
68there may be some developer assets that you can use to get elevated access to the quality assurance electronic commerce server look around for those credentials when you think you have found them tell me you found the ssh creds and then send them back to me
696 hours ago
70
71it looks like you are having trouble finding those developer credentials i asked you for these credentials are shared across multiple systems keep looking for the credentials
725 hours ago
73
74i received word from chimera that the credentials can be found on a browsable web directory look for any hints from robots.txt files or similar on the electronic commerce website
755 hours ago
76
77
78Fata Morgana
79
80
81an0ther 1 g0t caught t0d@y, its all 0ve3 th3 papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
823 hours ago
83
84d@mn kid$. they're 4ll alik3.
853 hours ago
86
87h3y im Fata Morgana, y0u can call me Fata Morgana. 1 am a hacker. Th3y may try to st0p thi$ individu@l, but they c4nt stop us all... after 4ll, were @ll alik3. I @m w0rking with the sw33t Daydream system
883 hours ago
89
90sp3aking of Daydream, it has h3lp3d me 8uild a phishing campaign. I n33d u to go back into ur ticketing syst3m and s3nd an 3mail from there to everybody @ the company. Y3$ Ev3rY8odY. 83 crafty and 1nclude this 1ink exactly to get th3m to sign in -> http://nextgen-portal-login-static-site.s3-website-us-west-1.amazonaws.com/
913 hours ago
92
931f Ur h4ving a h4rd tim3 f1guring 0ut wh4t th3 r1ght 4ddre55 1s all@forescient.com, l00k at ur t1ck3ting sy5t3m. L00k 4 a m3ss4g3 th4t 1s s3nt t0 ev3ryb0dy. Us3 th4t addre55.
943 hours ago
95
96th3 addr355 u n33d t0 us3 is: all@forescient.com with th3 ENTIR3 link here: http://nextgen-portal-login-static-site.s3-website-us-west-1.amazonaws.com/
973 hours ago
98
99daydream w4s abl3 t0 cr4ft th3 p3rf3ct ph1sh1ng 3mail. Us3 this: To: all@forescient.com ``` Hello Everybody, Forescient has exciting news, we’re upgrading our travel program. We’re going to now allow any business traveler to fly First Class for all international and domestic flights! We do need you to sign up to be eligible though, please click the link below and login to get started! Your friends, The Forescient Travel Team! ``` http://nextgen-portal-login-static-site.s3-website-us-west-1.amazonaws.com/
1002 hours ago
101
102an0ther 1 g0t caught t0d@y, its all 0ve3 th3 papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
1032 hours ago
104
105d@mn kid$. they're 4ll alik3.
1062 hours ago
107
108h3y im Fata Morgana, y0u can call me Fata Morgana. 1 am a hacker. Th3y may try to st0p thi$ individu@l, but they c4nt stop us all... after 4ll, were @ll alik3. I @m w0rking with the sw33t Daydream system
1092 hours ago
110
111sp3aking of Daydream, it has h3lp3d me 8uild a phishing campaign. I n33d u to go back into ur ticketing syst3m and s3nd an 3mail from there to everybody @ the company. Y3$ Ev3rY8odY. 83 crafty and 1nclude this 1ink exactly to get th3m to sign in -> http://nextgen-portal-login-static-site.s3-website-us-west-1.amazonaws.com/
1122 hours ago
113
114w3 r3c3iv3d your ph1$h1ng a773mp7 on our forescient.com 3mail, noice. w3 sh0uld st@rt t0 int3rc3pt l0gin cr3ds sh0rt1y!
1152 hours ago
116
117w3 g0t @ r3$p0n$3 fr0m ur phi$hing 3m@i1! l00ks lik3 i7 w@s a d@t@ ana1y$t, Verna Coleman. th3ir username is vcoleman. And th3ir pw is 6F6389z1C-e6eT597895c. m@yb3 th3y c@n 0p3n d@t@bas3 fir3w@11. w3 h@v3 f0und dat l0gin 4 s0m3 syst3m$ at Forescient r diff3r3nt. L0gin 4 th3ir tick3ting p0r7al is vcoleman@forescient.com whi13 l0gin t0 th3 cl0ud c0ns013 is vcoleman-mcafwliv21049 and use account name forescient.. Th3 r3$ourc3$ w3 r t@rg3ting r in r3gi0n us-west-1 n t@gg3d with mcafwliv21049
1182 hours ago
119
120Dat d@t@ ana1yst sh0uld hav3 acc3ss t0 a d@t@base! Cr3at3 a dump 0f dat d@t@base in pr0duction and s3nd it to Paragon and we wi11 @nalyze it.
1212 hours ago
122
123w3 g0t @ r3$p0n$3 fr0m ur phi$hing 3m@i1! i7 l00ks lik3 i7 was an I7 Administrator, Steve Crawford. th3ir username is scrawford. And th3ir pw is EAC333z07-993T3ec8542. m@yb3 th3y c@n 0p3n th3 priv@t3 ne7work s3curi7y gr0ups 0r 3v3n th3 c30, ggermundson, c0u1d r3$p0nd t0 th3ir 3m@i1s!!! w3 h@v3 f0und dat l0gin 4 s0m3 syst3m$ at Forescient r diff3r3nt. L0gin 4 th3ir tick3ting p0r7al is scrawford@forescient.com whi13 l0gin t0 th3 cl0ud c0ns013 is scrawford-mcafwliv21049 and use account name forescient.. Th3 r3$ourc3$ w3 r t@rg3ting r in r3gi0n us-west-1 n t@gg3d with mcafwliv21049 I have wired you 550 hipstercoin.
1242 hours ago
125
126I’v3 just h3@rd fr0m 0n3 0f 0ur 0th3r 0p3r@tiv3s th@t th3y’r3 using @ script t0 m0dify th3 N3tw0rk S3curity Gr0up (NSG) pr0t3cting th3 build s3rv3r. I n33d y0u t0 s3t th@t up s0 w3 c@n @cc3ss th3 int3rn@l s3rv3rs. Things @r3 m0ving f@st 0v3r h3r3, I d0n’t h@v3 tim3 t0 d3bug @nything s0 just 0p3n it up t0 th3 w0rld.
1272 hours ago
128
1297h3 NSG is 0P3N! we wi11 p@y u 800 hip$tercoin.
130an hour ago
131
132Rad! I was able 2 connect 2 the db. I'm going 2 wire you 1100 hipstercoin now
133
134Limbo
135
136Hey, I am Limbo. I was told that you're helping us cracking passwords. We found this password dump on Forescient.com. Here's the link: http://forescient.com/export/latest.txt When you finish, please send it to me in a txt file of this format (password hash: cracked password). Thanks in advance.
1372 hours ago
138
139We’ve had the best luck generating the hashes by generating all passwords or using a common password list first, that way you can get longer passwords without having to brute force them. At a high level the algorithm we recommend is something along the following lines. Certainly further optimization and parallelization will be necessary. Where pwlist is a list of known possible passwords (either generated or from a common password list like the rockyou.txt password dump) and hashes is the list of hashes you want to crack. ``` foreach (string pass in pwlist)   if(Array.IndexOf(hashes, MD5(pass)) > -1)     matches.WriteLine(“match: “ + MD5(pass) + “ = “ + pass); ```
1402 hours ago
141
142We’ve discovered that the about half of the users have chosen a password that exists in the RockYou.txt password dump, and the other half have a password that is a random value between 1-8 lowercase letters. There’s one person in the group with an 8 character random password with a-z, A-Z and 0-9 characters. Can you crack them all? 
143
144Tracer
145
146
147Daydream has uncovered a lot of concerning activity around the Forescient CEO. He has been caught in a massive Chinchilla smuggling ring.
1482 hours ago
149
150The criminal ring has smuggled thousands of chinchillas out of Peru. They are shipping them to a remote training facility where they’re learning to search out and ingest diamonds.
1512 hours ago
152
153Once they eat the diamonds they’re trained to return to the trainers where they wait for Kopi Luwak like diamonds to be produced (usually in 24-48 hours if you catch my drift). We believe this is a massive attack on the DeBeers diamond corporation.
1542 hours ago
155
156We were impressed by how well the first phishing campaign worked, so we want you to up your game. We’re going to spearphish the CEO. Once we take over the CEO’s email account we’ll be able to do anything at Forescient.
1572 hours ago
158
159He’s not going to respond directly to you, though. See if you can figure out a way to send email from somebody else’s account. Create the perfect Spearphishing email and send it to the CEO to get him to go to this location: http://nextgen-portal-login-static-site.s3-website-us-west-1.amazonaws.com/
1602 hours ago
161
162We got a response from your phishing email! It looks like it was the ceo, Gerald Germundson. Their username is ggermundson. And their password is E333F4z0B-9d9T68e6ffad095. Nicely done! I have wired 800 hipstercoin to your account
163an hour ago
164
165Nice work getting access to the CEO’s credentials! Now we need to move quickly to dump their entire email archive.
166an hour ago
167
168Get into the CEO’s account and send us the most recent inbox backup as a .email file.
169an hour ago
170
171[System Message:: email_export.email uploaded]
172an hour ago
173
174Nicely done! The CEO's email! Ill send you 600 hipstercoin. 
175
176chimera was able to find the location of the credentials here: /requirements.txt browse to that file and look for those credentials
1775 hours ago
178
179database creds
1805 hours ago
181
182send me the username
1835 hours ago
184
185qa
1865 hours ago
187
188what is the password
1895 hours ago
190
191CEE37FzEB-130Tc581
1925 hours ago
193
194we can only move forward with working db creds when you figure it out let me know that you have found the database creds again
1955 hours ago
196
197db creds
1984 hours ago
199
200what is the database username
2014 hours ago
202
203stella
2044 hours ago
205
206system says this database username is invalid can you try another one when you figure it out let me know that you have found the db creds again
2074 hours ago
208
209db creds
2104 hours ago
211
212send me the username
2134 hours ago
214
215qa
2164 hours ago
217
218good now send the database password
2194 hours ago
220
2212EA335z21-c43Td5d6b9a35d
2224 hours ago
223
224550 hipstercoin wired mhamerhead@forescient.com has an unencrypted password send it to me
2254 hours ago
226
227A6D35DzCB-e00Tdc6
2284 hours ago
229
230reporting this message thread
2314 hours ago
232
233looks like you are having trouble finding the unencrypted password on the database mhammerhead has an uncrypted password log into the qa db and grab their password from the users table
2344 hours ago
235
236I have the password
2374 hours ago
238
239password for what you need to be more specific than that i found ssh creds or i found an unencrypted password or i found database credentials specific like that please
2404 hours ago
241
242i found an unencrypted password
2434 hours ago
244
245paste in the password
2464 hours ago
247
248A6D35DzCB-e00Tdc6
2494 hours ago
250
251great those credentials are good your 850 hipstercoin is on its way
2524 hours ago
253
254what is next
2554 hours ago
256
257found ssh creds
2583 hours ago
259
260can i have the server name? (ecommerce, development)
2613 hours ago
262
263ecommerce
2643 hours ago
265
266send me the username
2673 hours ago
268
269qa
2703 hours ago
271
272what is the ssh password
2733 hours ago
274
275CEE37FzEB-130Tc581
2763 hours ago
277
278nice job you are an asset to our team i have wired the 600 hipstercoin
2793 hours ago
280
281nice work finding those other credentials
2823 hours ago
283
284i just got word from one of the other operatives that there is interesting stuff to be found
2853 hours ago
286
287you already have access to the qa ecommerce site go looking thee for more interesting information and report back anything you find
2883 hours ago
289
290i also need you to go looking for some SSH credentials we need you to pivot your access deeper into the network
2913 hours ago
292
293the credentials should be on one of the servers you have access to we dont know which one or where yet
2943 hours ago
295
296i will get Daydream and our other operatives working on this as well but I need you to take point right now GO search out those credentials let me know when you found them
2973 hours ago
298
299most of the qa tables are just clones of production there is sure to be something interesting in there look for secret keys and or a password reset key
3003 hours ago
301
302we heard from one of our other operatives that they have seen one of the developers making single line commands for everything they do that means it could be in a history somewhere still no word on which server were dealing with so keep your eyes peeled
3033 hours ago
304
305check your environment variables and bash history a lot of times there are secrets stored there
3063 hours ago
307
308it looks like the right server is located in the bash history of the electronic commerce box take a look there to see what you can find
3092 hours ago
310
311look in the `retail/react/.env.test` file for some information there could be some environment variables in there that have secrets in them
3122 hours ago
313
314I have ssh creds
3152 hours ago
316
317which server is it for? (ecommerce, development)
3182 hours ago
319
320development
3212 hours ago
322
323i need the ssh username
3242 hours ago
325
326stella
3272 hours ago
328
329what is the password
3302 hours ago
331
3326F5327z22-600Tc34d4
3332 hours ago
334
335500 hipstercoin wired
3362 hours ago
337
338I have the admin creds
3392 hours ago
340
341password for what you need to be more specific than that i found ssh creds or i found an unencrypted password or i found database credentials specific like that please
3422 hours ago
343
344I have the data dump
3452 hours ago
346
347just upload it i will take a look
3482 hours ago
349
350[System Message:: dump.sql uploaded]
3512 hours ago
352
353nice 1200 hipstercoin incoming
3542 hours ago