The Power of the Legion

2020-11-16 - Reading time: 11 minutes

legion6.jpg

As a long time fan of Watch Dogs 2, I observed the initial concept and trailer for Watch Dogs: Legion roll out with a feeling of trepidation.

They'd dropped the number '3' from the title, first off. Perhaps a trivial change, but for the paranoid, this was an ominous sign that things were changing.

And indeed they were.

Gone was a specific lead character. There was a big push towards the idea that you could "take control of anyone". And it seemed like there was an overall less 'realistic' feel: digital-cyber-anarchists in pig masks, skull masks. Lots of masks. And it looked like it took place in a less relatable, less contemporary world, instead set further into the dystopian future.

While I welcomed the change of venue to the UK, everything else I was seeing just wasn't clicking with me.

legion8.jpg

I felt like this would likely be where me and the Watch_Dogs™ franchise would part ways... I was all about WD2's wonderful alternate-yet-familiar world of late 2010s San Francisco, with it's terrific energy thanks to the rebel/ASCII pop art designs, and surprisingly compelling personalities. Not to mention it felt very relatable to today's world. Slightly more advanced than today, but not unrecognizably so. Just twenty minutes into the future, you could say. 😏

And it strongly looked as if Legion was poised to throw away most of what appealed to me. So I stopped following the news about it, and decided all the indicators suggested this wasn't going to be for me.

Then it launched...

legion0.jpg

Between the gameplay footage coming out, the absolutely brutal 2020 US election, and the frustrating additional delay of the much awaited Cyberpunk 2077 until mid-December, I found myself weak and incapable of holding onto the money in my virtual wallet.

So... how'd it go? Well, I just finished it last night. The "Ubisoft Connect" launcher informs me I've put in 49 hours so far. (For comparison, I've put a mere 60 hours into Watch Dogs 2. Or so it says. Feels like more.)

But did I like it?

Well, if the nearly 50 hours didn't suggest it, I'll spell it out: YES. Watch Dogs: Legion was definitely worth it.

legion3.jpg

The procedural/every-man rallied citizen gimmick that I was so skeptical about was actually a rather bold creative decision with a wonderful message about the power of the people. I don't really want to see it return in future entries, but it worked here way better than I'd have ever expected. I didn't notice similar voices. I'm sure the dupes were there but it was varied enough where it didn't stand out. The variation and people, backstories, and relationships (!) it generates is rather impressive. (Though sometimes procedural generation can get you into trouble. 😏)

legion9.jpg

But it also held it back the narrative back in some ways: everyone calls you "DedSec" -- a weak, but workable solution to recording lines without the near impossible task of referring to your procedurally generated name personally. Most of the time it sounded like it was referring to you as a representative of the group, but once or twice it just felt awkward. Not a game breaker, though. Not by a long shot. 

The cinematics felt like a bit of a downgrade from Watch Dogs 2. Possibly this was due to the procedural nature of your current player character. The nuance of performance previously infused into Marcus and his San Fran DedSec friends is reduced a bit here. Again, forgivable considering the technological circumstances. They're still generally quite good.

Even if the cinematics don't always measure up, don't even get me started on the absolute beauty and insane level of detail of London captured here. This might be the biggest advancement over WD2, and even that game still looks fantastic.

Quite often, especially with raytracing enabled, Watch Dogs: Legion is capable of looking almost photorealistic.

legion7.jpg

Another... well... I'm hesitant to call it a down side, as it's merely the side effect of the gimmick.

But I'm kind of bummed that MY Legion experience isn't everyone elses. It was just for me. Everyone playing this game is (with some exceptions) going to have a different vision of which DedSec member was there in the final act.

For instance, my main DedSec crew was composed of:

  • Wanda Baker: a 60+ assassin who's looking for one last great thrill before hanging up her guns,
  • Theresa Green: a tough as nails, mid-40s punk rock MILF hacker with mohawk,
  • and Saeed Rahmanzai: a dreadlocked AR-glasses clad young drone expert (who got less play as the team got better with drone control)

There were a dozen others on the team, but once things really got rolling, they were pretty much just not much more than background noise...

legion1.jpg

For me, Wanda, Theresa, and Saeed ARE the saviors of London.

Yet... they're not. They're just folks I recruited along the way, and I got attached to them. My imagination filled in the blanks and made them more interesting.

The game is structured in such a way that I can do that, and the story won't step on my imagination's toes.

legion5.jpg

One other major difference from Watch Dogs 2: there's a lot of streamlining of the gameplay present.

Many hacks from prior entries are gone. The character skill upgrades are greatly reduced. But you also get certain skills out of the box (like remote controlling vehicles, for example).

Where Watch Dogs 2 had a wealth of various, interesting upgrades, Legion's options are much more... shall we say, focused... to a handful of weapon, accessory, and drone hack upgrades. Many of the more interesting skills are locked behind specific recruit classes with unique abilities. This is likely why the skill tree was minimized. It gives more value to recruiting the individuals. All the really cool tricks went to them. The "beekeeper" comes to mind, with a cloud of robotic attack bees... the "living statue" guy... the hypnotic "magician"... and so on.

I never got around to checking them out, unfortunately. I locked in my core team pretty fast.

This will likely be something I'll be willing to explore on subsequent playthroughs. (There's a perma-death mode, too!)

legion4.jpg

As for the core skills shared by the team, once you realize the spider-bot lets you take down unaware people from a distance, safely, and with ease, it's really the only accessory you'll care about. It kind of makes the game too easy. Nobody is forcing you to use it, of course: most missions have multiple open ended ways to accomplish tasks.

But blimey, it feels silly to NOT use it.

Also important: the drone/turret hijack and betrayal hack skills. Get a drone specialist early on to get access to these quickly, but with enough points in your skills and everyone can do them. (Sorry, Saeed. Thanks for your service.)

legion2.jpg

Overall, Watch Dogs: Legion is a pretty damned cool experiment. Despite all odds, it largely succeeds in pulling off the trick of it's central gimmick while still delivering an engrossing (yet ultimately predictable -- spoiler!) story.

While it hasn't dethroned Watch Dogs 2 as my favorite in the series (it's going to take a LOT to do that, admittedly) it certainly holds it's own as a solid, enjoyable entry in the series.

4/5


HTB Write Up - Misc - misDIRection

2020-09-30 - Reading time: 10 minutes

Another Hack the Box write-up. This one is pretty short (EDIT: is it?), but it illustrates an unintended, but important gotcha that hit me.

But first...

I found out last time that a seemingly unwritten HTB convention* is that you only post write-ups for challenges that are retired (accessible to the paid VIP folks).

* Honestly, I only saw it mentioned while digging into the forums, and was
told about it later when I posted the previous one on Reddit.

While I didn't see an official explanation for this behavior, I suspect this is keep people from simply Googling for the flag. If that IS the case, I disagree with that idea: any good CTF'er will know to exclude the flag identifier -HTB or the CTF name (-"Hack the Box") when looking for information to help them legitimately solve the problem.

If someone is going to be a rotten rat and cheat their way through the challenges, well, that's kind of the risk you take when it's open to the public. Hiding the answers just means they'll squirrel them away out of sight for the rats to find. (Boy there's a lot of animals in this paragraph.)

And, of course, if it's simply to give value to VIP members, well, I have no interest in helping a business maintain a poor model. But I don't expect that to be the motive here. 😉

Suffice it to say, considering this one hasn't been retired since 2018, I won't be sharing it anywhere outside my own blog, apparently. And maybe Twitter. (Hi, Twitter!)

The Case Against Windows

I did this challenge, initially, using Windows. Mostly because this seemed like a pretty easy challenge, and I didn't think that would be a problem.

The challenge provides you with a zip file, appropriately named misDIRection.zip.

Unzipping the file produces a .secret/ directory, and inside a series of directories labelled 0-9a-zA-Z. Some of these are empty. But some have 0-byte files named after integers. There were no duplicates among them.

Archive:  ../misDIRection.zip
   creating: .secret/
   creating: .secret/S/
 extracting: .secret/S/1
   creating: .secret/V/
 extracting: .secret/V/35
   creating: .secret/F/
 extracting: .secret/F/2
 extracting: .secret/F/19
 extracting: .secret/F/27
   creating: .secret/o/
   creating: .secret/H/
   creating: .secret/A/
   creating: .secret/r/
   creating: .secret/m/
   creating: .secret/B/
 extracting: .secret/B/23

...etc...

I thought about this one for a bit, and considered how a message could be encoded.

Then I had an idea: what if the numbers map to a position in an output. Like, where file "1" is, that's in the S directory.  "2" is in F, etc.

So I started charting this out in Notepad, but I got about 4 letters deep and realized -- wait, I should be doing this in a programmatic way. There are tools for this. Work smarter.

So I pull up the WSL bash prompt and throw down: find . -type f | sort -k 1.13 -n

This finds all the file-type entries under the current directory and pipes the result into sort. The -k argument basically says to sort on the 13th column, and -n specifies a numeric sort.

This gave a pretty clear arrangement: SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9. NICE!

Not So Fast, Son

While this wasn't the flag, of course, it seemed like a solid lead into a second phase.

So I pull up CyberChef and start messing around with it. I go through the usual transformations I try, and Base64 immediately catches my eye: HZÜ{JãR3cuåù_1T_PR5ÑT_SO7e}.

It's so painfully close to what I'm looking for. You can SEE the skeleton of a legit Hack the Box flag: HTB{xxx_xxx_xxx_xxx}. You can see the curly braces, and the underscores, and even the opening "H". Presumably some of the other letters are correct as well, but you can't know that yet, of course.

So I went down some weird rabbit holes. The hashid tool thought it was BigCrypt:

Analyzing 'SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9'
[+] BigCrypt

And The Towel Was Thrown In

Everything I tried wound up being big time wasters.

So I gave up and looked for a write-up. Inside that write-up, the guy did everything I did:

WHAT?

I do a search for SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9 -- and sure enough, there it is.

Am I going crazy? It's just a basic Base64 decoding. Why is mine different?

Just to verify, I pipe it through the same base64 tool on my end. Nope. Still different.

What am I doing differently here?!

Then it dawns on me: I'm using Windows.

I'd gotten used to doing some formerly Unix-style command line stuff in Windows, thanks to WSL letting me bounce between the two worlds. And that was my mistake.

A Return to Relative Sanity

Let's take a look:

  • Some characters showed up fine.
  • The same string gave two different decodings.
  • How could that be?

Well, unzipping a file that creates an alphabet... both upper AND lowercase letters... oh shit.

Right: unzipping in Windows means ".secret/s" is the same directory as ".secret/S".

Which one you get depends on which one unzipped first. So I had a jumble of upper and lowercase directories that Windows went all YOLO on. And when I jumped over to WSL to do my find command, the damage was already done.

I needed to unzip the file from Unix.

So I nuked the entire directory and unpacked all of this from a proper Linux bash shell in my lab VM. And sure enough, I have a lot more directories.

I run my find command, and I get a slightly different version of my string: SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9.

Note the case differences:

Wrong: SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9
Right: SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9

So I pump that through base64 -d, and we get the CORRECT flag this time: HTB{DIR3ctLy_1n_Pl41n_Si7e}.

The Takeaway

This was frustrating, but still quite educational: in the future I might encounter an issue similar to this, and hopefully I'll remember this experience. I mean, I didn't look closely enough at my string, and searching for it in the write-up made me think it was 1:1 exactly the same. All because search tools are, by default, case insensitive. And Windows is case insensitive.

But I'm very sensitive. 😢

Seriously, though don't get too comfortable with Windows, man. It'll stab you when you're not looking!

I don't for a moment think the author of this challenge intended for this outcome. (I sure didn't.) But hey: thank goodness SOMEONE wrote a write-up on a non-retired Hack the Box challenge, huh? 😏


HTB Write Up - OSINT - ID Exposed

2020-09-24 - Reading time: 9 minutes

I've been doing a lot of TryHackMe rooms over the last week or two, but this morning I decided to jump over to HackTheBox to take a look at their OSINT challenges.

While I've never done a CTF write-up before, I want to start doing this a bit more often. Especially when I encounter new topics or concepts I've never encountered before.

We are looking for Sara Medson Cruz's last location, where she left a message. We need to find out what this message is! We only have her email: saramedsoncruz@gmail.com

With this bit of content, I spent a lot of time going through my usual routine...

Sherluckin' Out

First, I looked for the username saramedsoncruz using Sherlock. It's a tool written in Python that queries a ton of social media services. (There's websites for this, too.) This pulled up only a couple results:

[*] Checking username saramedsoncruz on:
[+] Pinterest: https://www.pinterest.com/saramedsoncruz/
[+] geocaching: https://www.geocaching.com/p/default.aspx?u=saramedsoncruz

When I saw the Geocaching link, I got excited. We could satisfy all of our requirements.

Her last location? Possibly! A potential message left? Sure! Maybe she took a picture of a message left in a cache. Or had comments about a cache she'd just found.

This seemed to be a lock... but, despite a match on that very specific username, it wound up going nowhere.

Struck out with the Pinterest link, but I had low hopes for that one.

Desperation Sets In...

At this point, I'm trying everything I know. Manually clawing though "Sara Cruz" accounts (and various permutations on the name) on Facebook and other social media sites. One even had a Guy Fawkes mask for an avatar -- I thought to myself "Some dumb hacker shit! Surely, this must be it!"

But, no. Another dead end.

As I'm searching around, I see a link talking about Google IDs and Gmail accounts. It looks interesting, but I put it aside.

I'm about to give up -- which is fine by me. Yeah, I'm always a little disappointed when I throw in the towel, but that's part of the reason I do these CTF challenges: to test what I know, and if it's something I don't know: learn. (From write-ups. Like this. 😏)

...when suddenly!

So I return to the HTB OSINT page, and I take a look at the name of the challenge so I can google a write-up.

"ID Exposed"... hey, waaaait a minute...

I think for a moment as that piece of information zip-zaps across my mind over to the article I'd found earlier: Getting a Grasp on GoogleIDs.

I'd completely overlooked a clue in the title. Turns out this was VERY relevant!

I'll leave the article for you to see the details, but long story short: there's a profile ID number attached to every Google account. There's a couple ways to get this ID outlined in the article.

In my case, I added it to my existing Google Contacts collection and sniffed the data-personid attribute from the modal dialog of the Contacts page when the contact is opened for editing (it may be seen elsewhere, but this is where I got it).

With this in hand, I went over to the People API people.get page, which lets you try executing an API endpoint. In order to execute this endpoint call, you'll need to give permission for your own Google account.

Following the instructions in the article, I plugged in "people/c6412528252752365100" for the resourceName, and "metadata" for the personFields field.

The call, successful, returned this block of JSON:

{
  "resourceName": "people/c6412528252752365100",
  "etag": "%EgMBNy4aBAECBQciDG1IQ1NWS3NJSEc0PQ==",
  "metadata": {
    "sources": [
      {
        "type": "CONTACT",
        "id": "58fde0788976062c",
        "etag": "#mHCSVKsIHG4=",
        "updateTime": "2020-09-24T15:59:18.216Z"
      },
      {
        "type": "PROFILE",
        "id": "117395327982835488254",
        "etag": "#4eZz2/IuMFw=",
        "profileMetadata": {
          "objectType": "PERSON",
          "userTypes": [
            "GOOGLE_USER"
          ]
        }
      }
    ],
    "objectType": "PERSON"
  }
}

Under the metadata -> sources entry with the PROFILE type, there is our GoogleID: 117395327982835488254.

Now That's Brazilliant

From here, we can look for various things (again, check the article for what's possible).

As it turns out, you can take a look at the 'contributions' that a GoogleID has made to Google Maps. This means reviews and photos, for the most part. Certainly the kind of data that would tick the boxes of what this CTF solution asks of us.

So, I tack the GoogleID onto the appropriate URL...

https://www.google.com/maps/contrib/117395327982835488254/

...and sure enough:

"Flag Watcher", huh? 😏

No photos, but they've posted a review for the 'Museu do Futebol' in Brazil, giving it a whopping five stars, and a terse comment of "really nice museum"...

Wait, there's more.

Like, literally 'More'.

Click it.

And there's our flag, buried in a bunch of percent signs to force the comment to collapse. :)

HTB{i_W4S_D_I_S_c_O_v_3_R_3_D}

Conclusion

It's okay to give up, as long as you're willing to learn.

Just be careful that you're not overlooking a clue being given to you. Few things suck more than bashing your head against the wall going down a dead end for an hour when a quick re-read of the CTF details might have prevented it. 😳


Gangster Computer God Worldwide Secret Containment Policy

2020-09-13 - Reading time: ~1 minute

I didn't go over every word of this, but I'm fairly sure these are the reenacted insane ramblings of Francis E. Dec. Besides, the phrase "Gangster Computer God" is pretty much his thing. 😉

Francis E. Dec (January 6, 1926 – January 21, 1996) was an American lawyer and outsider writer who was best known for his typewritten diatribes that he independently mailed and published from the late 1960s onward. His works are characterized by highly accusatory and vulgar attacks on various subjects, often making use of phrases like "Mad Deadly Worldwide Communist Gangster Computer God" to slander hierarchies that he believed were engaging in electronic harassment against him.

Here's a sample of his... work... 🤯


Hacking Reality to Save the Princess

2020-09-13 - Reading time: 6 minutes

Came across this over on Hacker News this morning and left a brief thought on it over there (that I'm sure has been ripped to shreds by now). (EDIT: Not so much. But we did reach similar endpoints. Thanks, guys!)

Long story short, even shorter: player manipulates and aligns glitches to basically rewrite the code's stack to force the game ending sequence to execute. Goes from title screen to prince rescued in ~3 minutes.

From a hacker perspective, this kind of thing is -- 😘👌 -- excellent. Even if the player didn't consciously decide to manipulate the stack but happened to stumble onto a combination to make it work, it's still super cool to break it down, which is what this video does.



Originally this post was a reflection on the ethics of this kind of thing being considered a 'world record', and how I'd rather see them split this out into it's own category.

Instead of investigating first, I just vomited out all my thoughts and feelings without actually seeing how the world decided to handle this. I ran on an assumption. And it was wrong.

Because they DO break it out by category:

Here's how they break it down -- and they are NOT fucking around:

100%

Beat the game, entering and completing every stage and Hammer Bros. fight.

  • Time starts on pressing Start on the title screen.
  • Time ends on entering the door after defeating Bowser.

This category includes:

  • All action stages (numbered stages, fortresses, airships, plants, hands...)
  • All overworld Hammer Bros. (including their Boomerang, Fire and Sledge Bros. variations)

Important notes:

  • Do not forget the Fire Bros. behind the rock in world 2, the two plants in world 7 and the three hands in world 8!
  • If you accidentally transform some Hammer Bros. into a coinship, you must either beat the coinship or die on purpose during the coinship to transform it back into Hammer Bros. and then defeat them.
  • Mushroom houses, card games, roulette games and overworld pipes are allowed but not required.

Banned emulators: ZSNES (any version), SNES9x 1.4x

Any% Warpelss

Beat the game as quickly as possible without using any wrong warps or warp whistles. Warp whistles may be collected but not used.

Time starts on pressing Start on the title screen.
Time ends on entering the door after defeating Bowser.

Banned emulators: ZSNES (any version), SNES9x 1.4x

Any% (No Wrong Warp)

Beat the game as quickly as possible without using any wrong warps.

Time starts on pressing Start on the title screen.
Time ends on entering the door after defeating Bowser.

Banned emulators: ZSNES (any version), SNES9x 1.4x

Any%

Time starts on pressing Start on the title screen.


Time ends when Mario is visible in the princess' chamber. If the game crashes, the run is invalid.


Banned platforms: Virtual Console, NESClassic, BizHawk (QuickNES core)Note that BizHawk with the NESHawk core is allowed.

And these are just the Super Mario Bros. 3 specific rule sets. Other games have different rules.

For instance, Portal has "Out of Bounds" (any and all tricks allowed), "Inbounds" (camera and portals cannot leave the map), "Glitchless" (use none of the officially recognized glitches), and "Inbounds No SLA" (Save/Load Abuse).

Even something like bloody Cookie Clicker has a whole bunch of rule sets: "1 Million Cookies", "Neverclick" (bake 1 million cookies without clicking the cookie <= 15 times), "True Neverclick" (bake 1 million cookies without clicking the cookie at all), "Hardcore" (bake 1 billion cookies without upgrades), "40 Achievements" (guess), "1 Heavenly Chip" (🙏).

Finding this out was pretty amazing. Not only were my concerns alleviated, but I've actually found a brand new level of respect for the speedrunning. :)

And I was able to salvage a lengthy post, and turn it into something positive. Everyone wins!


Elsewhere...