Suspicious Activity
I enjoyed the first season of Mr. Robot, which aired in May of 2015. I've been busy with life, and don't have a lot of time to watch a show unless it's one my kids like, or my wife and I both like, so I missed Season 2 when it was aired in 2016. An advertisement for Season 3 caught my eye recently, so I've been trying to find time to catch up. While watching the first episode of Season 2, |"2.0_unm4sk-pt1.tc"| I noticed a QR code scribbled in the main character's notebook. QR codes are still exotic enough to kind of stand out in my mind. I was sure, given the show's genre, that it would lead to something interesting. After pausing the show, rewinding, and scanning the code, sure enough it led me to a suitably 90s looking website: conficturaindustries.com.
Confirming My Suspicion
Of course the first thing you do is look at the source of the page and find out what goodies are hidden therein. Among the things I checked first, I hand un-minified some of the javascript (I was too lazy to find tools that do this and the source was really short) to get an idea of what hidden behavior the page might have:
// c.js from http://conficturaindustries.com
$("#a").on("touchstart click","> *", function(a) {
if(a.stopPropagation(),a.preventDefault(), i && !a.handled) {
var e=parseInt($(this).attr("src")[7]),
c="";
e = e < 9 ? e + 1 : 0;
var r="images/"+e+".gif";
$(this).attr("src",r),
o && clearTimeout(o),
o = setTimeout(function() {
for(var a=0;a<7;a++) {
var e=$("#a").children()[a];
c+=$(e).attr("src")[7]
}
t(parseInt(c))
}, n)
,a.handled=!0
}
}).on("dblclick",function(t){t.preventDefault()})});
TLDR; if you click on the digits of what looks like an old-school hit counter, that digit is incremented modulo 10, a POST is made to the server with the numeric value of the counter, and the response is checked.
POST /check.php HTTP/1.1
Host: www.conficturaindustries.com
If the response indicates success, then the counter is replaced with a form input. Aha! So there is a secret numeric value we need to input here, and then there will be a secret input of some kind we need to put in the resulting form field. But what the heck is the value? Initially I was convinced that some time value (like midnight, 11:59pm, etc) was the answer. But all initial attempts were met with the same response: {"response":false}
What of this initial value of the counter. What is it in base 16? That looks suspiciously close to leet-speak for robot? Ah, no.. it really does show a unique count for each visit as an initial value. Alrighty then, why don't a just set a script to POST to that endpoint every value between 0 and 9999999 while I go look for more clues?
The Restaurant
Grasping at Straws
7174800. No? NO!? Damn, I thought I had it. Time passes.... I'm working from home with Mr. Robot on in the background. Oh.. I heard something, I caught a thing out of the corner of my eye, They're gonna order some BBQ in Episode |"eps2.9pyth0n-pt1.p7z"| I know that menu. That is for sure Red Wheelbarrow. Wait a minute.. where else did we see Red Wheelbarrow? Wowzers, there it was on his journal in Episode |"2.0unm4sk-pt1.tc"| and oh.. it was made by Confictura Industries? Well then. Oh, and now they're going to use some random ass operations to arrive at an "unguessable" value. I'm glad they also use some free web tools to convert values between different encodings. I've never heard of Erdos-Woods numbers, so that definitely piques my interest. More to come...
