Ok, I’m giving up.
Found the password reminder within minutes but didn’t manage to get the password right after 40 minutes of trying. The narrative allowed me to narrow it down to five possible birth dates and two possible birth years.
After several hundred attempts, I haven’t been able to get it right. German date format, ISO date format, with century, without century, name prefixed, nothing prefixed.
Feels frustrating but I’m simply too dumb, I guess.
Still didn't help me. I've seen both hints and seen the calendar, and after 6 attempts I had to give up, felt a bit frustrated. Maybe accept a range of different answers?
I think you need to set a bar of solving the first puzzle a little lower so that we can get an idea of your methods. I too don't have time to sit here brute forcing a game by hand when it could be any capitalization,
and when I wrote this comment, something occurred to me about it and I tried it and got in. Rubber ducky ftw.
Yep, bugged me too. Looked at the js source to see what clicked items I missed. Then guessing the password was a lot easier. Also trying the cheaphash function in the console was a lot faster than entering then keep reentering the username. The hash function result is very length dependent, so it was quite clear how long of a password I was looking for.
I thought I was clever in thinking the code to the filing cabinet would be a birthdate in MMDD format, but I never got it. "5928" made me think the code might be 5280, the number of feet in a mile, but to no avail.
Well, apparently she has 2 kids? Ryan and Daniel (mug reveals "Daniel" with a crudely drawn baby). Then if you look at the calendar you can see Daniel was born June 12 and Ryan was born December 5, but beyond that I can't figure out a year.
Username is "anne.kingston" but I've tried all the following passwords to no avail:
DDMM is what we were supposed to guess somehow. Fine to have to guess that for a pen test or real security analysis, less fun for a game where you have no clue if you're really on the right track.
Ack, I'm really sorry—the rate limiting is harsher on new accounts because of past activity by spammers and trolls, and is definitely not intended to throttle legit users like yourself.
I've allowed the stuck comments to go through and have merged the comments from your second account back into this one, so they're all in one place. I've also marked this account legit so you can post as much as you want. Welcome to HN in any case! Let us know at hn@ycombinator.com if we can help with anything.
I got it after many attempts but, I confess, by tinkering directly with the `cheapHasher` JS function in the console. With that in-game form? it could have taken ages to guess.
I think it's nice. I'd defintely play another one if you made it. I completed the first part of the puzzle, but wasn't able to figure out where Anne went.
Hi, I'm the maintainer and put together the code for this first working prototype of the digital version of the game. Thanks already for your feedback!
I will gladly provide hints here if you get stuck :)
I think there are a lot of best practices that can be rehearsed in this format
Recently I had been thinking about how interesting it would be to have a movie or tv show where a protagonist is trying to guess someone's password and they encounter a password manager and give up, or the character tells them they use a password manager as if it was the most obvious thing to do. That would make more sense than sticky notes or seeing some hint in the room that reveals the password.
I kind of enjoy the graphics... Makes the focus to be shifted on the actual gameplay. You care about the process of discovery more this way. At least that's how it worked for me, but I'm not a regular game player person.
No the top one with the code. It provides a clear hint on the password of the computer. And the code is really stupid (not even a birthday or anything ;) )
Okay, I did find that hint, but the problem is, that while it gives you a hint on what you looking for, there are so many possibilities, how you can type a date as a password (assuming it is the 31st January 2010, which it is not):
2010-01-31
20100131
2010.01.31
31.01.2010
01-31-2010
01/31/10
31.1.2010
31st January 2010
3101
Just to give some examples. If the name of a person can be added, there are a lot more combinations. If there are even multiple people (as in this case) you might even think about mixing those dates.
I think the only other confusing part is the bank email. Given that the premise is that her cybersecurity is weak, I would think that the transactions are actually because she fell it.
It's pretty nice! I just wish there was a button to zoom out, this got me confused at first and I refreshed the browser thinking it was a glitch. The desk has a + button to zoom, surely you could leave it there at all time and add a - button next to it.
Good point. The controls need better alignment. I had some trouble with the svg zoom and pan stuff and I was trying to stay away from using too many frameworks so the solution is still a bit buggy.
I would say that is equivalent to asking Marwin. So you pass :)
In fact, this is a welcome solution to the game. When used as an educational tool, this can be used as a starting point to discuss ways to bypass intended ways of accessing something.
Yeah the click zone on the object where you find the bank account is so small I thought it wasn't clickable. In the end I looked at the JS and then it became clear where it was and that it was actually clickable.
PS: Marwin sounds like a dick. He's whinging about her holidays and doesn't even know about her newborn, clearly didn't give her maternity leave either. I don't think I'd actually help him :D
"Aah! You've found an end of the prototype. This will be the place where you can figure out where Anne might be...
However, if you haven't stopped the transactions yet, keep playing :)"
I found that too. It’s just that there is a lot of detail, eg in the emails etc, that don’t seem to contribute anything to the game, and then you hit this abrupt place where it says “this will tell you where Anne is”, but it doesn’t.
It feels like there should be some other thing to explore somewhere that makes sense of the emails and the cake and the odd tweets.
I suspect that you should be able to find the location from the Annie's bank transactions, but I don't know the account code (and ahem looking at the JS source, it seems that only the company account is implemented)
Ah, my bad... didn't find the personal acc number as well. The passwords are way too easy to find, yes, but you're not tracking down a security engineer but an "everyday Karen" :)
-The targets for mouse clicks are definitely too small (you've heard that already). Could also do something like clicking whilst zoomed in to zoom back out, or just standardising the buttons to +/-.
-Add a way to get all the way back to the preamble, and a writeable notepad of some description.
-Tighten up the initial login validation - I found plausible passwords that neither passed nor failed, if that makes sense. (DM me for details, or I can write up here if you like.)
Yeah the JS gives some snide comments about this being the 'creative' way. But this is what I like about pentesting. There is no good or bad way. If you get stuck, try something else. Any way you can break the system is a good one.
* I struggled to understand what was clickable. The little red thing on the table seemed important. I guess not.
* Please don't make passwords case sensitive in games like this
* The puzzle felt too tough without the hint you posted. I'm not sure how I was supposed to know the password format. I wasn't able to open the drawer until mistakenly thinking the win code was the solution to the drawer, which it sort of was. But I more or less guessed the name and date were the password. I likely wouldn't have gotten it for a long time unless you posted the format.
* The stuff on the computer felt a little too simple. It also implied there was more to the game after the win code but I think not?
actually i did not feel it too tough. the intro said she is single and on the calendar there is a heart next to a name Daniel (plus "Daniel" is on the mug as well but I touch others' mug at the last resort), so my first try for password was name+month+day naturally :)
Did anybody else notice the password d3cem8er5 generates the correct cheapHash of 3880, but the salted hash fails. I get redirected to a non-existing page (ie. get a 404). Was that an intentional red herring or just a coincidence lol?
Solid prototype! As others have pointed out the clicking is a bit janky on Firefox but the exploratory aspect and world building is well done.
One thing I noticed is that the real online banking window displays "UPC Bank" in the title bar (just like the fake one). I guess that's a mistake since that was one of the main giveaways that it was fake.
Concept reminds me of the hacking minigame from ‘Enter the Matrix’ on PlayStation 2. The game presented you with a DOS prompt and a few simple commands; you had to unlock new commands and uncover hidden information by exploring the file structure and inferring from the output of commands available to you.
Made a very positive impression on a much younger me. The DOS prompt on my parents’ PC had always been a bit scary, since I didn’t really know what I was doing and was worried I might mess something up. The game was a (very limited) sandbox in which I could mess around without consequences:
It was nice to take a break after work and have a quick challenge. I guess the hard part was the password, after login it was over quickly. The game almost lost me on password guessing, I misunderstood something and had a different date. Hammering away at the password wasn't fun. Between guessing the name, the date, the date format, and case sensitivity, it leaves one with too many options to hammer away at manually.
Are the "File 1" and "File 2" links in mail supposed to open something? I got to that point and I think that's how to find the bank account number but I'm not sure.
94 comments
[ 3.1 ms ] story [ 148 ms ] threadAfter several hundred attempts, I haven’t been able to get it right. German date format, ISO date format, with century, without century, name prefixed, nothing prefixed. Feels frustrating but I’m simply too dumb, I guess.
https://txt.fyi/-/20336/ede282d7/
and when I wrote this comment, something occurred to me about it and I tried it and got in. Rubber ducky ftw.
Also took me a while to figure out the calendar zoomed in because it didn't work the first few times
Is there a way of finding out the format in the game? I would never have tried that
Frustrated, I just entered 0000!
Similar to a TODO comment... it just never got done.
Username is "anne.kingston" but I've tried all the following passwords to no avail:
- June12
- june12
- 612
- December5
- december5
- 125
Thanks for the feedback and sorry you didn't find the password! We're considering to add a uhs-hints.com-style guide in the future.
Here's a hint with another hint included: https://txt.fyi/-/20336/e86ca3bf/
How would I be able to read the calendar? Is there a minimum resolution to play this game?
The UI is really bugged, try clicking all over the calendar, it should eventually zoom in
The calendar should be clickable and it should then be readable. But I've just tested and there seems to be a glitch that makes it hard to click.
Try to click on the black lines! I'll fix this soon as possible.
I've allowed the stuck comments to go through and have merged the comments from your second account back into this one, so they're all in one place. I've also marked this account legit so you can post as much as you want. Welcome to HN in any case! Let us know at hn@ycombinator.com if we can help with anything.
It's great to know you like the game type. I've considered turning this into an easily adaptable format so this is within our scope :)
I will gladly provide hints here if you get stuck :)
Many thanks also to atum47, whose FOS, Fake Operating System I've used for the game. You can find it here: https://github.com/victorqribeiro/fos
We have developed the game at the University of Applied Sciences and Arts Northwestern Switzerland, School of Business, Institute for Cyber Security & Cyber Resilience. https://www.fhnw.ch/en/about-fhnw/schools/business/iwi/cyber...
The game is based on a student work that has been published here: Schneider, Bettina, and Trupti Zanwar. "CySecEscape–Escape Room Technique to Raise Cybersecurity Awareness in SMEs." https://conference.pixel-online.net/FOE/files/foe/ed0010/FP/...
hope you get this ironed out
I think there are a lot of best practices that can be rehearsed in this format
Recently I had been thinking about how interesting it would be to have a movie or tv show where a protagonist is trying to guess someone's password and they encounter a password manager and give up, or the character tells them they use a password manager as if it was the most obvious thing to do. That would make more sense than sticky notes or seeing some hint in the room that reveals the password.
You should be able to click many of the objects (e.g. the cup) to zoom in.
Nice work, but as an old gamer I'm wondering if throwing the graphics in some established game engine wouldn't have made it work more consistently :)
In fact, I never managed to open the third drawer.
2010-01-31
20100131
2010.01.31
31.01.2010
01-31-2010
01/31/10
31.1.2010
31st January 2010
3101
Just to give some examples. If the name of a person can be added, there are a lot more combinations. If there are even multiple people (as in this case) you might even think about mixing those dates.
Keep up the good work, a bit more polishing and it's going to be even better.
Otherwise, great job!
Taking this to the list of to-dos
At the moment this is a placeholder :)
We're considering to include this game in another project once it's a little more matured.
In fact, this is a welcome solution to the game. When used as an educational tool, this can be used as a starting point to discuss ways to bypass intended ways of accessing something.
PS: Marwin sounds like a dick. He's whinging about her holidays and doesn't even know about her newborn, clearly didn't give her maternity leave either. I don't think I'd actually help him :D
> Aah! You've found an end of the prototype. This will be the place where you can figure out where Anne might be...
> However, if you haven't stopped the transactions yet, keep playing :)
I wont tell where this is to avoid spoilers :)
It feels like there should be some other thing to explore somewhere that makes sense of the emails and the cake and the odd tweets.
If it's indeed the end, nice game!
edit: although, I still haven't found the Anne's location
I couldn't find the account id for her bank account. Is it supposed to be there? I'll keep looking.
edit: the WIP message in the messaging system makes me think that you can't yet track the Annie.
Also, is it supposed to be so simple to find the account password?
Suggestions:
-The targets for mouse clicks are definitely too small (you've heard that already). Could also do something like clicking whilst zoomed in to zoom back out, or just standardising the buttons to +/-.
-Add a way to get all the way back to the preamble, and a writeable notepad of some description.
-Tighten up the initial login validation - I found plausible passwords that neither passed nor failed, if that makes sense. (DM me for details, or I can write up here if you like.)
The username is "anne.kingston". I found the password hash, but not sure how to go back to get the password itself.
Password hash: (hashy == "3880" && saltedhashy == "2425")
The hash is computed in a loop as: `prehash += (s[i].charCodeAt() * (i+1));`
I'm not sure how to go reverse this. Maybe someone can help?
Here's a tuple of passwords tried and their hash and salthash:
(Password, Hash, Salthash)
(daniel, 8221, 2197)
(hello, 7004, 3970)
(password, 3970, 1268)
(123, 302, 4415)
(something, 4814, 2749)
* I struggled to understand what was clickable. The little red thing on the table seemed important. I guess not.
* Please don't make passwords case sensitive in games like this
* The puzzle felt too tough without the hint you posted. I'm not sure how I was supposed to know the password format. I wasn't able to open the drawer until mistakenly thinking the win code was the solution to the drawer, which it sort of was. But I more or less guessed the name and date were the password. I likely wouldn't have gotten it for a long time unless you posted the format.
* The stuff on the computer felt a little too simple. It also implied there was more to the game after the win code but I think not?
- Make the first puzzle much easier. A quick win would help hook us in.
- The password could be either kid (or is Daniel the husband?), any capitalization, date format, spacing, etc. Too much to brute force by hand.
- The clicking is wonky and I often wondered if I was missing something.
One thing I noticed is that the real online banking window displays "UPC Bank" in the title bar (just like the fake one). I guess that's a mistake since that was one of the main giveaways that it was fake.
Made a very positive impression on a much younger me. The DOS prompt on my parents’ PC had always been a bit scary, since I didn’t really know what I was doing and was worried I might mess something up. The game was a (very limited) sandbox in which I could mess around without consequences:
https://www.ign.com/wikis/enter-the-matrix/Hacking
Go Isotopes!