API tools faq
paste
Advertisement
Ku7ahzae

The complete story of onion 6

Ku7ahzae
Jan 31st, 2014
1,025
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.49 KB | None | 0 0
raw download clone embed print report
  1. ===============================================================================
  2. ONION 6
  3. ===============================================================================
  4.  
  5. onion 6 is: http://ut3qtzbrvs7dtvzp.onion/
  6.  
  7. One large unsigned hexdump with html comment <!--761-->, saved as onion6.html
  8. Hexdump extracted as onion6.hex
  9. xxd -r -p onion6.hex onion6.bin
  10.  
  11. The first bytes of the hexdump are the 'ffd8' JPG header.
  12.  
  13. -------------------------------------------------------------------------------
  14. Scanning for jpegs
  15. -------------------------------------------------------------------------------
  16.  
  17. ../scripts/DetectJPG_v2.py -i onion6.bin
  18.  
  19. --------------------------------------------------------
  20. DETECT_JPG: SEARCHING FOR JPGS IN BINARY DATA
  21. --------------------------------------------------------
  22.  
  23. Read onion6.bin with 4240957 bytes
  24.  
  25. --- scanning data ---
  26.  
  27. Detected jpg. Begin: 0 End 754662
  28. Saving as onion6.image00.jpg
  29. Detected jpg. Begin: 754662 End 1467395
  30. Saving as onion6.image01.jpg
  31. Detected jpg. Begin: 1467395 End 2170823
  32. Saving as onion6.image02.jpg
  33. Detected jpg. Begin: 2170823 End 4240957
  34. Saving as onion6.image03.jpg
  35.  
  36. --- reversing byte order ---
  37.  
  38. --- scanning data ---
  39.  
  40.  
  41. --- looking for bytes not used in jpegs ---
  42.  
  43.  
  44. --- Done ---
  45.  
  46.  
  47. All four jpgs are readable and show more runepages.
  48.  
  49. -------------------------------------------------------------------------------
  50. OutGuess
  51. -------------------------------------------------------------------------------
  52.  
  53. Running outguess on all four images:
  54.  
  55. outguess -r onion6.image00.jpg onion6.outguess00.dat
  56. outguess -r onion6.image01.jpg onion6.outguess01.dat
  57. outguess -r onion6.image02.jpg onion6.outguess02.dat
  58. outguess -r onion6.image03.jpg onion6.outguess03.dat
  59.  
  60. file onion6.outguess00.dat --> onion6.outguess00.dat: ASCII English text
  61. file onion6.outguess01.dat --> onion6.outguess01.dat: ASCII English text
  62. file onion6.outguess02.dat --> onion6.outguess02.dat: ASCII English text
  63. file onion6.outguess03.dat --> onion6.outguess03.dat: ASCII English text
  64.  
  65. All outguesses are GPG signed. Checking the signatures:
  66.  
  67. gpg --verify onion6.outguess00.dat
  68. gpg: Signature made Sun 19 Jan 2014 08:39:32 AM CET using RSA key ID 7A35090F
  69. gpg: Good signature from "Cicada 3301 (845145127)"
  70.  
  71. gpg --verify onion6.outguess01.dat
  72. gpg: Signature made Sun 19 Jan 2014 08:39:42 AM CET using RSA key ID 7A35090F
  73. gpg: Good signature from "Cicada 3301 (845145127)"
  74.  
  75. gpg --verify onion6.outguess02.dat
  76. gpg: Signature made Sun 19 Jan 2014 08:39:50 AM CET using RSA key ID 7A35090F
  77. gpg: Good signature from "Cicada 3301 (845145127)"
  78.  
  79. gpg --verify onion6.outguess03.dat
  80. gpg: Signature made Sun 19 Jan 2014 08:39:57 AM CET using RSA key ID 7A35090F
  81. gpg: Good signature from "Cicada 3301 (845145127)"
  82.  
  83. All four messages are basically identical and say:
  84.  
  85. Create one Tor hidden service that can accept CGI file uploads.
  86.  
  87. When this hidden service returns and can accept input, post the
  88. three magic squares and the URL to your Tor hidden service here.
  89.  
  90. Work alone.
  91.  
  92.  
  93. 1111111111111111
  94. 110 12 101
  95. 1 1
  96. 112 14 121
  97. 1 1
  98. 110 12 101
  99. 1111111111111111
  100.  
  101.  
  102. Good luck.
  103.  
  104. 3301
  105.  
  106. There is a difference between the outguesses: The digits used as frame for the
  107. square change. Cicada used '3' in onion6.outguess00.dat and
  108. onion6.outguess01.dat, '0' in onion6.outguess02.dat and '1' in
  109. onion6.outguess03.dat. The digits spell out 3301.
  110.  
  111. -------------------------------------------------------------------------------
  112. Translation of runes
  113. -------------------------------------------------------------------------------
  114.  
  115. The runepages are not encrypted. Translation is straightforward.
  116.  
  117. [page 1, onion6.image00.jpg]
  118.  
  119. THE LOSS OF DIVINITY: THE CIRCU
  120. MFERENCE PRACTICES THRE
  121. E BEHAVIORS WHICH CAUSE TH
  122. E LOSS OF DIVINITY.
  123.  
  124. CONSUMPTION: WE CONSUME TOO
  125. MUCH BECAUSE WE BELEIVE THE
  126. FOLLWING TWO ERRORS WITHIN THE DEC
  127. EPTION.
  128.  
  129. 1 WE DO NOT HAVE ENOUGH
  130. OR THERE IS NOT ENOUGH
  131.  
  132. [page 2, onion6.image01.jpg]
  133.  
  134. 2 WE HAVE WHAT WE HAVE N
  135. OW BY LUCK, AND WE WILL NOT
  136. BE STRONG ENOUGH LATER T
  137. O OBTAIN WHAT WE NEED.
  138.  
  139. MOST THINGS ARE NOT WORTH CONSUM
  140. ING:
  141.  
  142. PRESERVATION: WE PRESERVE
  143. THINGS BECAUSE WE BELIEVE WE AR
  144. E WEAK. IF WE LOSE THEM WE WILL NO
  145. T BE STRONG ENOUGH TO GAIN THEM
  146. AGAIN. THIS IS THE DECEPTION.
  147.  
  148. [page 3, onion6.image02.jpg]
  149.  
  150. MOST THINGS ARE NOT WORTH PRESERV
  151. ING:
  152.  
  153. ADHERENCE: WE FOLLOW DOGMA
  154. SO THAT WE CAN BELONG AND BE RIGH
  155. T. OR WE FOLLOW REASON SO WE CAN
  156. BELONG AND BE RIGHT.
  157.  
  158. THERE IS NOTHING TO BE RIGHT ABOUT.
  159. TO BELONG IS DEATH.
  160.  
  161. IT IS THE BEHAVIORS OF CONSUMPT
  162. ION, PRESERVATION, AND ADHEREN
  163.  
  164. [page 4, onion6.image03.jpg]
  165.  
  166. CE THAT HAVE US LOSE OUR PRIMAL
  167. ITY AND THUS OUR DIVINITY:
  168.  
  169. SOME WISDOM: AMASS GREAT W
  170. EALTH. NEVER BECOME ATTA
  171. CHED TO WHAT YOU OWN. BE
  172. PREPARED TO DESTROY ALL THAT
  173. YOU OWN:
  174.  
  175. AN INSTRUCTION: PROGRAM YOU
  176. R MIND. PROGRAM REALITY
  177.  
  178. -------------------------------------------------------------------------------
  179. Search for 'the three magic squares'
  180. -------------------------------------------------------------------------------
  181.  
  182. Print each of the tree 256 byte strings in 16x16 matrix ---> Not magic
  183. (see http://pastebin.com/iQZ7dhx4)
  184.  
  185. Checking 58152 byte outguesses: sqrt(58152) != int. Cannot make a square.
  186.  
  187. XORed the onion5.audio01.mp3 (Bach) with each of the three 256 byte strings and
  188. the byte-order reversed copies. Looking for jpg/png/zip/gzip/bzip2/text files.
  189. No readable files found. Minimum entropy 6.92.
  190.  
  191. XORed the three 256 byte strings (and their reverse) with onion6.image00.jpg.
  192. Looking for low entropy or headers for png/jpg/zip/gzip/bzip2 or text files.
  193. No readable files found. Minimum entropy 6.90.
  194.  
  195. XORed the three 256 byte strings (and their reverse) with onion6.image01.jpg.
  196. Looking for low entropy or headers for png/jpg/zip/gzip/bzip2 or text files.
  197. No readable files found. Minimum entropy 6.87.
  198.  
  199. XORed the three 256 byte strings (and their reverse) with onion6.image02.jpg.
  200. Looking for low entropy or headers for png/jpg/zip/gzip/bzip2 or text files.
  201. No readable files found. Minimum entropy 6.86.
  202.  
  203. XORed the three 256 byte strings (and their reverse) with onion6.image03.jpg.
  204. Looking for low entropy or headers for png/jpg/zip/gzip/bzip2 or text files.
  205. No readable files found. Minimum entropy 6.87.
  206.  
  207. XORed the three 256 byte strings (and their reverse) with onion5.mp3.
  208. Looking for low entropy or headers for png/jpg/zip/gzip/bzip2 or text files.
  209. No readable files found. Minimum entropy 6.87.
  210.  
  211. Take numbers in the portrait and complete magic square:
  212.  
  213. 966 A B C 434
  214. 1071 D E F 204
  215. 626 G H G 626
  216. 204 F E D 1071
  217. 434 C B A 966
  218.  
  219. Choose H and solve for the rest.
  220.  
  221. Do similar thing for 7x7 square. There we have even more possible combinations.
  222.  
  223. I doubt that these are the magic squares we're looking for. There are simply
  224. too many of them.
  225.  
  226. UPDATE:
  227.  
  228. When onion6 came back online we got new runepages (see below for details). One
  229. of the pages contains a 5x5 square (one of those that could be constructed with
  230. the above formula):
  231.  
  232. 434 1311 312 278 966
  233. 204 812 934 280 1071
  234. 626 620 809 620 626
  235. 1071 280 934 812 204
  236. 966 278 312 1311 434
  237.  
  238.  
  239. Another magic square (7x7, also based on the numbers from onion5 portrait.jpg) can be
  240. found in onion5.mp3 (see http://pastebin.com/pFLQhtXQ for more details on
  241. onion5).
  242.  
  243. Unfortunately Cicada used OpenPuff, a Windows-only steganograpic software for
  244. the mp3. Therefore I cannot reproduce the results. I give the square as posted
  245. in #cicadasolvers:
  246.  
  247. 7 375 236 190 27 17 181
  248. 351 223 14 47 293 98 7
  249. 456 232 121 114 72 23 15
  250. 16 65 270 331 270 65 16
  251. 15 23 72 114 121 232 456
  252. 7 98 293 47 14 223 351
  253. 181 17 27 190 236 375 7
  254.  
  255. -------------------------------------------------------------------------------
  256. onion6 back online, submit magic squares and hidden service address
  257. -------------------------------------------------------------------------------
  258.  
  259. Onion 6 shows a GPG signed text message and three input fields for magic
  260. squares, one for our hidden service URL. Page saved as onion6_2.html. GPG
  261. signed text is onion6.2.txt.
  262.  
  263. gpg --verify onion6.2.txt
  264. gpg: Signature made Sat 25 Jan 2014 09:26:57 AM CET using RSA key ID 7A35090F
  265. gpg: Good signature from "Cicada 3301 (845145127)"
  266.  
  267. Message reads (signature removed):
  268.  
  269. Hello. You have done well to come this far.
  270.  
  271. Please paste the magic squares into the appropriate textareas below, then
  272. provide the URL to your Tor hidden service.
  273.  
  274. The path to your CGI script which accepts uploads should be '/cgi-bin/upload'
  275. and the HTML form input which accepts file uploads should be named 'file'.
  276.  
  277. Additionally, please generate a GnuPG key pair, and place the public key
  278. in the location '/key.asc'.
  279.  
  280. We will contact you soon.
  281.  
  282. Good luck.
  283.  
  284. 3301
  285.  
  286.  
  287.  
  288. Posting squares and onion address gives 3 new rune jpgs. The first two pages
  289. are encrypted. The third is plaintext. The jpgs are called 107.jpg, 167.jpg
  290. and 229.jpg
  291.  
  292. Apparently none of the images has any outguess.
  293.  
  294. 107.jpg --> https://infotomb.com/p65ks
  295. 167.jpg --> https://infotomb.com/xivp2
  296. 229.jpg --> https://infotomb.com/oi704
  297.  
  298. -------------------------------------------------------------------------------
  299. Decryption/translation of runes
  300. -------------------------------------------------------------------------------
  301.  
  302. A transcription of the encrypted pages 1 and 2 is in onion6.2.runes.txt. Page 3
  303. is not encrypted and can be translated directly using the Gematria.
  304.  
  305. A frequency analysis of the ciphertext shows a good match to english plaintext,
  306. except for the letters A, R, S and T. This points to some simple reordering
  307. cipher (e.g. columnar transposition).
  308.  
  309. http://imgur.com/HdlYxou --> Frequency analysis
  310.  
  311. Decryption via column reordering is not possible
  312. Also no Caesar cipher
  313. No simple substitution cipher
  314.  
  315. It turns out to be a Vigenere cipher with the key "FIRFUMFERENFE"
  316. (CIRCUMFERENCE with every 'C' replaced by 'F'). That made it hard to detect
  317. since 'F' represents a shift of 0. Additionally the two F-runes in 'OF' and
  318. 'CIRCUMFERENCE' are to be ignored (no increment in key pointer).
  319.  
  320. Decryption is as follows:
  321.  
  322. [page 1, 107.jpg]
  323.  
  324. A COAN: DURING A LESSON THE MAS
  325. TER EXPLAINED THE I: "THE
  326. I IS THE VOICE OF THE CIRCU
  327. MFERENCE", HE SAID. WHEN AS
  328. KED BY A STUDENT TO EXPLAIN
  329. WHAT THAT MEANT, THE MASTER SA
  330. ID "IT IS A VOICE INSIDE YOUR H
  331. EAD". "I DON'T HAVE A VOICE I
  332. N MY HEAD", THOUGHT THE STUDENT,
  333. AND HE RAISED HIS HAND TO TE
  334. LL THE MASTER. THE MASTER STOP
  335.  
  336. [page 2, 167.jpg]
  337.  
  338. PED THE STUDENT AND SAID "THE
  339. VOICE THAT JUST SAID YOU HAV
  340. E NO VOICE IN YOUR HEAD, IS THE
  341. I." AND THE STUDENTS WERE ENL
  342. IGHTENED
  343.  
  344.  
  345. [page 3, 229.jpg]
  346.  
  347. AN INSTRUCTION: QUESTION ALL
  348. THINGS. DISCOVER THRUTH INSIDE
  349. YOURSELF. FOLLOW YOUR TRU
  350. TH. IMPOSE NOTHING ON OTHERS:
  351.  
  352. KNOW THIS:
  353.  
  354. 434 1311 312 278 966
  355. 204 812 934 280 1071
  356. 626 620 809 620 626
  357. 1071 280 934 812 204
  358. 966 278 312 1311 434
  359.  
  360.  
  361.  
  362. -------------------------------------------------------------------------------
  363. List of uploaded data from onion 6
  364. -------------------------------------------------------------------------------
  365.  
  366. https://infotomb.com/4lurl --> onion 6 hexdump with <!--761--> comment
  367.  
  368. _______________________________________________________________________________
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!