Email Intercept

Discussion in 'Fan & Sandbox Missions' started by Ugly, Jun 29, 2014.

  1. Ugly

    Ugly Senior Agent

    [Priority 2 Intercept]
    [Minimum Detection Required]
    ((Please no hacking/brute forcing/etc! I don't own the server the site is on, so treat it as a puzzle only, thanks!))
    [Respond privately with intelligence acquired]
    Code:
    Return-path: <[email protected]>
    Envelope-to: [email protected]
    Delivery-date: Sun, 13 Nov 2011 14:21:55 -0600
    Received: from localhost ([127.0.0.1]:33141 helo=www.flathelix.com)
      by www.flathelix.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
        (Exim 4.82)
        (envelope-from <[email protected]>)
        id 1X1Lbn-0002qP-29
      for [email protected]; Sun, 13 Nov 2011 14:21:55 -0600
    Received: from 97.125.173.34 ([97.125.173.34]) by box413.bluehost.com (Horde
    Framework) with HTTP; Sun,13 Nov 2011 20:21:52 +0000
    Date: Sun, 13 Nov 2011 20:21:52 +0000
    Message-ID: <[email protected]>
    From: [email protected]
    To: [email protected]
    Subject: Re: Extranet access
    User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
    Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
    MIME-Version: 1.0
    Content-Disposition: inline
    X-Identified-User: {1905::flathelix.com} {sentby:smtp auth 127.0.0.1 authed with [email protected]}
    
    FFS John, I am not reseting your password again, you need to remember
    the damn thing! I even set up the other way for you to remember it on
    the site. Did you forget that password too? I'm guessing not since
    you're willing to drive the extra 10 miles every time it's your turn.
    Or did you just forget to set it to 2?
    
    Roger
    
    FlatHelix
    Fairfield Technology Park
    Fairfield, ME
    ((I started putting this together for my first RP cabal, which folded not that long after release:( Decided the little bit I had finished might be worth a bit of entertainment for the group here. Please no hacking/brute forcing/etc! I don't own the server the site is on, so treat it as a puzzle only thanks (saying it twice to be safe). Have fun!))
     
    Last edited by a moderator: Jul 8, 2014
    6 people like this.
  2. TheChosenOne

    TheChosenOne Active Agent

    Seems like it's worth taking a closer look at this...
     
  3. bljkr

    bljkr Gold Member

    nevermind.

    Outside of the puzzle question: is the flathelix website supposed to be accessible or no? Or more of a puzzle within the email there.
     
    Last edited by a moderator: Jun 29, 2014
  4. nikel

    nikel Lab 1852 - Neurals

    4 people like this.
  5. Ugly

    Ugly Senior Agent

    These fragments were recovered off of a flash drive acquired from the subject. Reversal of secure erase process may result in data integrity loss. Additional recovery in progress.

    https://app.box.com/s/z6f0rjxpidi1tnj10wi8
     
  6. Santiak

    Santiak MIA

    Update based on the above.

    4 .frag files;
    1 corrupted jpeg file
    1 corrupted pdf file
    1 corrupted txt file
    1 corrupted png(?) file

    Unverified, appears to be a spider on an ace. (bljkr)
    Supposedly user-manual for "SEQUENCHER 5.2 1991 - 2013"
    Partial recovery: here.
    Seems to be the poem "The Age Demanded" by Ernst Hemingway. (Identified by Mochi)
    Unkown.
    Unverified: In light of the above, it would appear that the password for the second login mentioned, is refering to jStewart's offspring, who he has not forgotten - and thus is willing to drive 10 miles to be with, each time it's his turn.
     
    2 people like this.
  7. Ugly

    Ugly Senior Agent

  8. TheChosenOne

    TheChosenOne Active Agent

    Good work everyone! I have a lot of catching up to do, so I think you guys will probably have solved this before I get a chance to take a look at it.
     
    Last edited by a moderator: Jul 5, 2014
  9. Ugly

    Ugly Senior Agent

  10. bljkr

    bljkr Gold Member

    Update-ish from IRC discussions
    Related to the File Fragments:
    023.frag
    This is a pdf file. I don't have a fix for the corruption, but was able to open it in Sumatra PDF reader by changing the extension. It is a 1920s Call of Cthulu Character sheet totally blank. Santiak's recovered version: https://www.dropbox.com/s/b17jgjhnctn5ni7/023_recovered.pdf
    183.frag
    Internet Shortcut file leading to https://www.facebook.com/
    185.frag
    Internet Shortcut file leading to http://www.match.com/
    193.frag
    Internet Shortcut file leading to http://www.yog-sothoth.com/articles.html
    194.frag
    Executable File for SilentEye Steg tool (Iadded it to the resources and tools thread if you want the URL.
    197.frag
    Internet Shortcut file leading to http://www.flathelix.com/employee/Schedule.pdf which means John likes his donuts, but still at an impasse on the secondary login page that would use this information. Capitalization is important in the link just fyi.
    216.frag
    PNG File: http://imgur.com/1uZk8h3 SilentEye Icon.
    Fix:
    To fix the file just need to rename the file and then hexedit byte 0x0000000c to 49 (I)
    375.frag - see Santiak's post above.
    543.frag
    JPG File: http://imgur.com/p1HpVJv It is the Windows Spider Solitaire Icon
    Fix:
    Rename the frag and then hexedit it at two spots:
    • 0x0000059 needs to be 01 not 0A.
    • 0x00000098 need to insert two bytes.
    655.frag - see Santiak's post above.
    934.frag
    Is either an installation file or executable related to HxD hexeditor. Link can be found in Resources and Tools thread.
    982.frag
    Not 100% sure about this but we believe it may be pg2591.epub from the gutenberg press (dancingtheghost found the link)
    http://www.gutenberg.org/ebooks/2591 size between what is on gutenberg and the frag is 1 kb.[/spolier]
    Thoughts in General
    Well based on the email and 197.frag apparently the password has something to do with a donut shop or bakery, but we haven't figured out where this secondary login page is to try said information nor how setting something to 2 is feasible. Or I think that is where we are in any case, someone correct me. :)
    Added Thought
    We haven't used the Steg program yet, so that is a possibility and it has a setting that can take a 2. I just haven't found the right password/option/image or some variation there of that yields a result.
     
    Last edited by a moderator: Jul 5, 2014
    3 people like this.
  11. Santiak

    Santiak MIA

    Possible location of second reminder:

    Open the file:
    [​IMG]

    In SilentEye.
    > Set Luminance Interval to "2"
    > Set Header Position to "Bottom"
    > Set Passphrase to "Kennebec"
    > Check "Encrypted Data" and "Compressed Data"
    > Set Key to "Kennebec" / "Kennebec" (Placeholder)

    > Hit "Decode".

    When I attempt this, with these exact settings, on this image only, I get the error:
    "An error occured during the decryption process. (wrong password key?)"

    If I attempt the exact same setting on a different image, be it jpg or png (stripdnag.jpg and tabs_back.png respectively), it merely returns the usual error:
    "This media don't seem to have a hidden message"

    If I change the settings only slightly (remove the "c" from "Kennebec" in the passphrase or set Luminance Interval to "3"), the same "standard" error message as above occurs.

    I'm unsure if this is of any consequence, but I thought it odd that only these exact settings, on that image, seemed to yield those results.

    Edit: Entering "John Stewart" as the Passphrase also yields the "Wrong password key?" error. Contemplating whether I'm seing ghosts, I immediately tried "JStewart" as well as "Test This" and "Flathelix" instead - and was met with the "no hidden message" error.
     
    Last edited by a moderator: Jul 5, 2014
  12. TheChosenOne

    TheChosenOne Active Agent

    ((Trying to do some catching up, but I can't make heads or tails of it right now. I think I'll just keep lurking for this one. ;)))
     
    Last edited by a moderator: Jul 5, 2014
  13. Santiak

    Santiak MIA

    ((Just a friendly reminder, or early warning, seeing as the post detailing the information is still incoming.
    Keep in mind that this is the role-playing section of the forums, so any posts should be as much "In-Character" as possible, and Out-of-Character talk should be kept to a minimum, as well as clarified when it actually is OOC
    :)))
     
  14. Ugly

    Ugly Senior Agent

    Warning! An unknown monitoring device has been detected on the flathelix network. Our agents have managed to extract what may be a redundant log from a 16bit C5402 monitoring device. It appears we are not the only ones interested in Dr. Stewart.

    https://app.box.com/s/1l43757vwls441334nj0
     
  15. Santiak

    Santiak MIA

    Update:

    > Open the file with a program like notepad++ to view the hex.
    > Reverse the hex
    > Decypher to ASCII

    The decoded contents are too cumbersome to post here, but refer to http://pastebin.com/RZX9VhqD for the full list.

    2 files seem to stand out:
    http://www.flathelix.com/employee/images/stripdnag_orig.jpg
    and
    http://www.flathelix.com/employee/templates/beez5/images/system/notice-alert.png

    Addendun: sripdnag_orig.jpg is likely stegged, previous settings no longer yield any results.

    << For now, that is all.
     
  16. Ugly

    Ugly Senior Agent

    It would appear the FlatHelix website has undergone a system restore.

    ((I debated on this, but in the interest of streamlining, I have uploaded a new
    stripdnag_orig.jpg
    The CMS messing with stuff added an extra red herring that I decided was unnecessary. As a note, this first step of the ARG is solvable without any hints, assuming you made ridiculous leaps of faith and had crazy luck :D. So bonus hint day today!))
     
  17. Ugly

    Ugly Senior Agent

    A contact from the phone company has provided the following data from the time of interest for Dr. Stewart. She has said the data below roughly repeats for other time periods until "unfounded concerns" required monitored data to be encrypted.
    Code:
    1320673341 2011-ANE-1631-OE
    1320674633 64-EA-6089-OE,NA
    1320705356 2011-ANE-1631-OE
    1320759434 2011-ANE-1631-OE
    1320760724 64-EA-6089-OE,NA
    1320791452 2011-ANE-1631-OE
    1320846019 2011-ANE-1631-OE
    1320847285 64-EA-6089-OE,NA
    1320877886 2011-ANE-1631-OE
    1320932097 2011-ANE-1631-OE
    1320933307 64-EA-6089-OE,NA
    1320966077 2011-ANE-1631-OE
    1321016506 2011-ANE-1631-OE
    1321017651 64-EA-6089-OE,NA
    1321017958 00-ANE-0651-OE
    1321018216 2005-ANE-950-OE
    1321018410 2003-ANE-354-OE
    1321018529 2011-ANE-932-OE
    1321019436 2003-ANE-354-OE
    1321019632 2005-ANE-950-OE
    1321019898 00-ANE-0651-OE
    1321020217 64-EA-6089-OE,NA
    1321050532 2011-ANE-1631-OE
    
     
  18. Santiak

    Santiak MIA

    Preliminary Update:
    Addendum: All sets located by MoPono

    2011-ANE-1631-OE: 44°37'01.3"N 69°37'28.9"W
    64-EA-6089-OE: 44°35'20.2"N 69°38'03.1"W
    00-ANE-0651-OE: 44°34'37.0"N 69°37'43.9"W
    2005-ANE-950-OE: 44°33'51.6"N 69°36'37.3"W
    2003-ANE-354-OE: 44°33'12.4"N 69°37'21.2"W
    2011-ANE-932-OE: 44°32'05.58"N 69°37'22.2"W
    MoPono: Final tower on the trip located at RainBow Ln, 3 miles SE of Waterville on Hiway 137

    > I imagine that whatever we're looking for, is in the direction that set points. I've run through a couple of the points of interest related to what we (think) we know so far:

    >> Attempted Password on stripdnag.jpg, Luminance 2:
    • Jorgensen
    • Kennebec
    • Darrin
    • Lawson
    • Waterville
    • Dunkin
    • Cumberland
    Sadly, they brought up nothing.

    >> After running some tests, I'm unsure as to whether or not we're attempting to steg the correct images. Alternatively, we're missing a Passphrase (which will generate a random luminance interval when used, thus no longer fitting in with "set it to 2"), and/or the password - in which case we won't know we have the right password, untill we have the right passphrase.

    If we only need the correct password, an error - much like the previous false positives - should pop up when attempting to decode the image using the correct settings, but not the correct password.

    In other words, if these were the correct images, and luminance should be set to 2, we'd get "Wrong password" errors when attempting to access the information at the correct header position, yet that does not seem to be the case, neither with stripdnag.jpg nor stripdnag_orig.jpg.

    Therefore; we're either barking up the wrong tree, or we need the right ladder before we can begin barking.
     
    Last edited by a moderator: Jul 9, 2014
  19. Ugly

    Ugly Senior Agent

    Asking about more information on the time period, my contact was also able to provide a MMS from the time in question. It included the photo linked and the text "Still waiting, probably a few mins late. Looks like not alone with time to kill."
    https://app.box.com/s/sc0gvevxfqwfxt2ldp11
     
  20. nikel

    nikel Lab 1852 - Neurals

    Primary login cracked by bljkr, working on secondary login. Check the black box in the googledoc!

    In silenteye luminance level 2 on stripdnag.jpeg, password 'Bee's Snack Bar'. Login using jstewart and steg result
     

Share This Page