Hacker News new | past | comments | ask | show | jobs | submit login
Virtual Cybersecurity Escape Room (eloeffler.gitlab.io)
142 points by atum47 on Dec 2, 2020 | hide | past | favorite | 92 comments



Hi, I'm the maintainer and put together the code for this first working prototype of the digital version of the game. Thanks already for your feedback!

I will gladly provide hints here if you get stuck :)

Many thanks also to atum47, whose FOS, Fake Operating System I've used for the game. You can find it here: https://github.com/victorqribeiro/fos

We have developed the game at the University of Applied Sciences and Arts Northwestern Switzerland, School of Business, Institute for Cyber Security & Cyber Resilience. https://www.fhnw.ch/en/about-fhnw/schools/business/iwi/cyber...

The game is based on a student work that has been published here: Schneider, Bettina, and Trupti Zanwar. "CySecEscape–Escape Room Technique to Raise Cybersecurity Awareness in SMEs." https://conference.pixel-online.net/FOE/files/foe/ed0010/FP/...


great concept, the UX problems make this not fun

hope you get this ironed out

I think there are a lot of best practices that can be rehearsed in this format

Recently I had been thinking about how interesting it would be to have a movie or tv show where a protagonist is trying to guess someone's password and they encounter a password manager and give up, or the character tells them they use a password manager as if it was the most obvious thing to do. That would make more sense than sticky notes or seeing some hint in the room that reveals the password.


How one interacts with the game? I see the drawn room but clicking anything there (folder, basket, cup, etc.) does nothing at all...


Which browser are you using? We had some problems with Firefox displaying SVG graphics a little differently but it appeared to be working now.

You should be able to click many of the objects (e.g. the cup) to zoom in.


Latest Firefox on Mac... Will try with another browser. If you need any help in tracing the issue, I'll send you the console output.


Yep, clicking is iffy on Firefox/Mac here too.

Nice work, but as an old gamer I'm wondering if throwing the graphics in some established game engine wouldn't have made it work more consistently :)


I kind of enjoy the graphics... Makes the focus to be shifted on the actual gameplay. You care about the process of discovery more this way. At least that's how it worked for me, but I'm not a regular game player person.


The graphics is a stylistic choice and they can fit in any engine, but maybe clicking would have been more consistent :)


Agreed! :)


Firefox (different versions, up to 78.4) here too, having to click on the drawn objects multiple times to make it react.


I think the only other confusing part is the bank email. Given that the premise is that her cybersecurity is weak, I would think that the transactions are actually because she fell it.


I like it, but the format for the password was pretty frustrating.


yeah, seems like theres not enough hint to let on how this should be formatted.


It's there actually, inside part of the desk, which you don't need any knowledge to open. Just assume the person is stupid :P


Where? Do you mean the 2nd or 3rd drawer?

In fact, I never managed to open the third drawer.


No the top one with the code. It provides a clear hint on the password of the computer. And the code is really stupid (not even a birthday or anything ;) )


Okay, I did find that hint, but the problem is, that while it gives you a hint on what you looking for, there are so many possibilities, how you can type a date as a password (assuming it is the 31st January 2010, which it is not):

2010-01-31

20100131

2010.01.31

31.01.2010

01-31-2010

01/31/10

31.1.2010

31st January 2010

3101

Just to give some examples. If the name of a person can be added, there are a lot more combinations. If there are even multiple people (as in this case) you might even think about mixing those dates.


The concept is really neat! Well done!

Keep up the good work, a bit more polishing and it's going to be even better.


Solved it, was fun. But how would a personal account set up a direct debit?


she used the company's account to setup a standing order to her account


that email "Urgent! Suspicius transactions." is epic..LOL


Vague spoiler warning I guess:

* I struggled to understand what was clickable. The little red thing on the table seemed important. I guess not.

* Please don't make passwords case sensitive in games like this

* The puzzle felt too tough without the hint you posted. I'm not sure how I was supposed to know the password format. I wasn't able to open the drawer until mistakenly thinking the win code was the solution to the drawer, which it sort of was. But I more or less guessed the name and date were the password. I likely wouldn't have gotten it for a long time unless you posted the format.

* The stuff on the computer felt a little too simple. It also implied there was more to the game after the win code but I think not?


actually i did not feel it too tough. the intro said she is single and on the calendar there is a heart next to a name Daniel (plus "Daniel" is on the mug as well but I touch others' mug at the last resort), so my first try for password was name+month+day naturally :)


Love the concept, but gave up without any progress. I would mirror much of the previous feedback:

- Make the first puzzle much easier. A quick win would help hook us in.

- The password could be either kid (or is Daniel the husband?), any capitalization, date format, spacing, etc. Too much to brute force by hand.

- The clicking is wonky and I often wondered if I was missing something.


Ok, I’m giving up. Found the password reminder within minutes but didn’t manage to get the password right after 40 minutes of trying. The narrative allowed me to narrow it down to five possible birth dates and two possible birth years.

After several hundred attempts, I haven’t been able to get it right. German date format, ISO date format, with century, without century, name prefixed, nothing prefixed. Feels frustrating but I’m simply too dumb, I guess.


You can narrow down the date exactly, but i can't be bothered to test every format so doesn't really help



I think you need to set a bar of solving the first puzzle a little lower so that we can get an idea of your methods. I too don't have time to sit here brute forcing a game by hand when it could be any capitalization,

and when I wrote this comment, something occurred to me about it and I tried it and got in. Rubber ducky ftw.


I thought I was clever in thinking the code to the filing cabinet would be a birthdate in MMDD format, but I never got it. "5928" made me think the code might be 5280, the number of feet in a mile, but to no avail.

Frustrated, I just entered 0000!


There's a hint in the desk drawer (you need to zoom in even further to see it) that is a reminder to change the passcode.

Similar to a TODO comment... it just never got done.


Is it really a reminder to change the drawer passcode, or rather a password hint for the computer in case Anne ever forgets?


The bottom drawer is a reminder for the top drawer lock, the top drawer is for the computer.


The click action is bugged - I clicked the mug 5 times and it didn't do anything, 6th time it turned around

Also took me a while to figure out the calendar zoomed in because it didn't work the first few times

Is there a way of finding out the format in the game? I would never have tried that


Yep, bugged me too. Looked at the js source to see what clicked items I missed. Then guessing the password was a lot easier. Also trying the cheaphash function in the console was a lot faster than entering then keep reentering the username. The hash function result is very length dependent, so it was quite clear how long of a password I was looking for.


the calendar never zoomed for me. I had to squint to read the names and dates.


Still didn't help me. I've seen both hints and seen the calendar, and after 6 attempts I had to give up, felt a bit frustrated. Maybe accept a range of different answers?


That's a very good idea.Here's a spoiler with the password :)

https://txt.fyi/-/20336/ede282d7/


What is it about the calendar? I’m playing on 1280 × 720 resolution, can’t see shit on the calendar nor zoom in.


How can you narrow down the date exactly? The vacation is one week long so the date could be any working day, couldn’t it?


Well, apparently she has 2 kids? Ryan and Daniel (mug reveals "Daniel" with a crudely drawn baby). Then if you look at the calendar you can see Daniel was born June 12 and Ryan was born December 5, but beyond that I can't figure out a year.

Username is "anne.kingston" but I've tried all the following passwords to no avail:

- June12

- june12

- 612

- December5

- december5

- 125


DDMM is what we were supposed to guess somehow. Fine to have to guess that for a pen test or real security analysis, less fun for a game where you have no clue if you're really on the right track.


Swiss people don’t use American date order.


format is Name1234


Thanks, that made sense. It never occurred to me that there are two kids involved and that the calendar is clickable.


Hi Hackbraten, maintainer here.

Thanks for the feedback and sorry you didn't find the password! We're considering to add a uhs-hints.com-style guide in the future.

Here's a hint with another hint included: https://txt.fyi/-/20336/e86ca3bf/


Thank you for your reply.

How would I be able to read the calendar? Is there a minimum resolution to play this game?


I had to make another account because my other one is too new and got blocked for posting too fast \o/

The calendar should be clickable and it should then be readable. But I've just tested and there seems to be a glitch that makes it hard to click.

Try to click on the black lines! I'll fix this soon as possible.


Ack, I'm really sorry—the rate limiting is harsher on new accounts because of past activity by spammers and trolls, and is definitely not intended to throttle legit users like yourself.

I've allowed the stuck comments to go through and have merged the comments from your second account back into this one, so they're all in one place. I've also marked this account legit so you can post as much as you want. Welcome to HN in any case! Let us know at hn@ycombinator.com if we can help with anything.


Thanks, that’s super helpful! And sorry you had to jump through hoops regarding your account.


if you click the calendar it zooms in....sometimes

The UI is really bugged, try clicking all over the calendar, it should eventually zoom in


I got it after many attempts but, I confess, by tinkering directly with the `cheapHasher` JS function in the console. With that in-game form? it could have taken ages to guess.


It's pretty nice! I just wish there was a button to zoom out, this got me confused at first and I refreshed the browser thinking it was a glitch. The desk has a + button to zoom, surely you could leave it there at all time and add a - button next to it.

Otherwise, great job!


Good point. The controls need better alignment. I had some trouble with the svg zoom and pan stuff and I was trying to stay away from using too many frameworks so the solution is still a bit buggy.

Taking this to the list of to-dos


Concept reminds me of the hacking minigame from ‘Enter the Matrix’ on PlayStation 2. The game presented you with a DOS prompt and a few simple commands; you had to unlock new commands and uncover hidden information by exploring the file structure and inferring from the output of commands available to you.

Made a very positive impression on a much younger me. The DOS prompt on my parents’ PC had always been a bit scary, since I didn’t really know what I was doing and was worried I might mess something up. The game was a (very limited) sandbox in which I could mess around without consequences:

https://www.ign.com/wikis/enter-the-matrix/Hacking


I quite enjoyed it, and think it's worthwhile.

Suggestions:

-The targets for mouse clicks are definitely too small (you've heard that already). Could also do something like clicking whilst zoomed in to zoom back out, or just standardising the buttons to +/-.

-Add a way to get all the way back to the preamble, and a writeable notepad of some description.

-Tighten up the initial login validation - I found plausible passwords that neither passed nor failed, if that makes sense. (DM me for details, or I can write up here if you like.)


It was nice to take a break after work and have a quick challenge. I guess the hard part was the password, after login it was over quickly. The game almost lost me on password guessing, I misunderstood something and had a different date. Hammering away at the password wasn't fun. Between guessing the name, the date, the date format, and case sensitivity, it leaves one with too many options to hammer away at manually.


I got frustrated trying out different passwords, so I looked at the source code.

The username is "anne.kingston". I found the password hash, but not sure how to go back to get the password itself.

Password hash: (hashy == "3880" && saltedhashy == "2425")

The hash is computed in a loop as: `prehash += (s[i].charCodeAt() * (i+1));`

I'm not sure how to go reverse this. Maybe someone can help?

Here's a tuple of passwords tried and their hash and salthash:

(Password, Hash, Salthash)

(daniel, 8221, 2197)

(hello, 7004, 3970)

(password, 3970, 1268)

(123, 302, 4415)

(something, 4814, 2749)


Yeah the JS gives some snide comments about this being the 'creative' way. But this is what I like about pentesting. There is no good or bad way. If you get stuck, try something else. Any way you can break the system is a good one.


just brute force it. With a hash that small there's bound to be tonnes of collisions


Solid prototype! As others have pointed out the clicking is a bit janky on Firefox but the exploratory aspect and world building is well done.

One thing I noticed is that the real online banking window displays "UPC Bank" in the title bar (just like the fake one). I guess that's a mistake since that was one of the main giveaways that it was fake.


When I logged into the virtual password manager in the game my actual password manager wanted to add the account!


Did anybody else notice the password d3cem8er5 generates the correct cheapHash of 3880, but the salted hash fails. I get redirected to a non-existing page (ie. get a 404). Was that an intentional red herring or just a coincidence lol?


Are the "File 1" and "File 2" links in mail supposed to open something? I got to that point and I think that's how to find the bank account number but I'm not sure.


Is it intended that the website of the bank has several typos? And yes, I do mean the real website. "Correnspondant" and "sreamlined", for example.


I think it's nice. I'd defintely play another one if you made it. I completed the first part of the puzzle, but wasn't able to figure out where Anne went.


Thanks! That last part is actually still incomplete. I'll let you know when there is a new version.

It's great to know you like the game type. I've considered turning this into an easily adaptable format so this is within our scope :)


This was a fun game, even with the few bugs. Thanks for sharing this, I look forward to seeing more things like it in the future.


A000-0000-0000... not sure what to do with it :)

If it's indeed the end, nice game!

edit: although, I still haven't found the Anne's location


It does say "here you will be able to find Anne's location", I'm just saying author got lazy and didn't actually post something about the location?


I suspect that you should be able to find the location from the Annie's bank transactions, but I don't know the account code (and ahem looking at the JS source, it seems that only the company account is implemented)


You can find all the info for logging in to the bank account, but I couldn't find a location information there (or I did not recognize it).


I did manage to log in to the company account and delete the standing order.

I couldn't find the account id for her bank account. Is it supposed to be there? I'll keep looking.

edit: the WIP message in the messaging system makes me think that you can't yet track the Annie.

Also, is it supposed to be so simple to find the account password?


Ah, my bad... didn't find the personal acc number as well. The passwords are way too easy to find, yes, but you're not tracking down a security engineer but an "everyday Karen" :)


Well, at the moment I got the "winning code" notification, I still didn't know her location.


I love this idea, I think the execution could be taken next level but that's really cool.


I "won" but I still feel like I'm missing something. Where's Anne?


"Aah! You've found an end of the prototype. This will be the place where you can figure out where Anne might be... However, if you haven't stopped the transactions yet, keep playing :)"

I wont tell where this is to avoid spoilers :)


I found that too. It’s just that there is a lot of detail, eg in the emails etc, that don’t seem to contribute anything to the game, and then you hit this abrupt place where it says “this will tell you where Anne is”, but it doesn’t.

It feels like there should be some other thing to explore somewhere that makes sense of the emails and the cake and the odd tweets.


Ask Quidder:

> Aah! You've found an end of the prototype. This will be the place where you can figure out where Anne might be...

> However, if you haven't stopped the transactions yet, keep playing :)


I won! I had to get the bank account number from the JS source however :)


I would say that is equivalent to asking Marwin. So you pass :)

In fact, this is a welcome solution to the game. When used as an educational tool, this can be used as a starting point to discuss ways to bypass intended ways of accessing something.


Yeah the click zone on the object where you find the bank account is so small I thought it wasn't clickable. In the end I looked at the JS and then it became clear where it was and that it was actually clickable.

PS: Marwin sounds like a dick. He's whinging about her holidays and doesn't even know about her newborn, clearly didn't give her maternity leave either. I don't think I'd actually help him :D


I’m always happy to find homages to the Simpsons in random places :)

Go Isotopes!


can someone help me to reverse the hashing function if I know the result is 3880? How do I get the length and the string-value?


"Marwin Mueller, age 6 ... " What?


Hi, maintainer here. I've fixed that, haha :) Thanks for pointing it out. That was one hasty translation this afternoon.


I was like, that explains the conflict with Anne's son.


Indeed. It is very common among 6 year old bosses to dislike their employees' same-aged children.


What's the password manager password?


it's "scrolldown" :D


What to do with the winner code?


Congrats for winning!

At the moment this is a placeholder :)

We're considering to include this game in another project once it's a little more matured.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: