Hi, I'm the maintainer and put together the code for this first working prototype of the digital version of the game. Thanks already for your feedback!
I will gladly provide hints here if you get stuck :)
I think there are a lot of best practices that can be rehearsed in this format
Recently I had been thinking about how interesting it would be to have a movie or tv show where a protagonist is trying to guess someone's password and they encounter a password manager and give up, or the character tells them they use a password manager as if it was the most obvious thing to do. That would make more sense than sticky notes or seeing some hint in the room that reveals the password.
I kind of enjoy the graphics... Makes the focus to be shifted on the actual gameplay. You care about the process of discovery more this way. At least that's how it worked for me, but I'm not a regular game player person.
I think the only other confusing part is the bank email. Given that the premise is that her cybersecurity is weak, I would think that the transactions are actually because she fell it.
No the top one with the code. It provides a clear hint on the password of the computer. And the code is really stupid (not even a birthday or anything ;) )
Okay, I did find that hint, but the problem is, that while it gives you a hint on what you looking for, there are so many possibilities, how you can type a date as a password (assuming it is the 31st January 2010, which it is not):
2010-01-31
20100131
2010.01.31
31.01.2010
01-31-2010
01/31/10
31.1.2010
31st January 2010
3101
Just to give some examples. If the name of a person can be added, there are a lot more combinations. If there are even multiple people (as in this case) you might even think about mixing those dates.
* I struggled to understand what was clickable. The little red thing on the table seemed important. I guess not.
* Please don't make passwords case sensitive in games like this
* The puzzle felt too tough without the hint you posted. I'm not sure how I was supposed to know the password format. I wasn't able to open the drawer until mistakenly thinking the win code was the solution to the drawer, which it sort of was. But I more or less guessed the name and date were the password. I likely wouldn't have gotten it for a long time unless you posted the format.
* The stuff on the computer felt a little too simple. It also implied there was more to the game after the win code but I think not?
actually i did not feel it too tough. the intro said she is single and on the calendar there is a heart next to a name Daniel (plus "Daniel" is on the mug as well but I touch others' mug at the last resort), so my first try for password was name+month+day naturally :)
Ok, I’m giving up.
Found the password reminder within minutes but didn’t manage to get the password right after 40 minutes of trying. The narrative allowed me to narrow it down to five possible birth dates and two possible birth years.
After several hundred attempts, I haven’t been able to get it right. German date format, ISO date format, with century, without century, name prefixed, nothing prefixed.
Feels frustrating but I’m simply too dumb, I guess.
I think you need to set a bar of solving the first puzzle a little lower so that we can get an idea of your methods. I too don't have time to sit here brute forcing a game by hand when it could be any capitalization,
and when I wrote this comment, something occurred to me about it and I tried it and got in. Rubber ducky ftw.
I thought I was clever in thinking the code to the filing cabinet would be a birthdate in MMDD format, but I never got it. "5928" made me think the code might be 5280, the number of feet in a mile, but to no avail.
Yep, bugged me too. Looked at the js source to see what clicked items I missed. Then guessing the password was a lot easier. Also trying the cheaphash function in the console was a lot faster than entering then keep reentering the username. The hash function result is very length dependent, so it was quite clear how long of a password I was looking for.
Still didn't help me. I've seen both hints and seen the calendar, and after 6 attempts I had to give up, felt a bit frustrated. Maybe accept a range of different answers?
Well, apparently she has 2 kids? Ryan and Daniel (mug reveals "Daniel" with a crudely drawn baby). Then if you look at the calendar you can see Daniel was born June 12 and Ryan was born December 5, but beyond that I can't figure out a year.
Username is "anne.kingston" but I've tried all the following passwords to no avail:
DDMM is what we were supposed to guess somehow. Fine to have to guess that for a pen test or real security analysis, less fun for a game where you have no clue if you're really on the right track.
Ack, I'm really sorry—the rate limiting is harsher on new accounts because of past activity by spammers and trolls, and is definitely not intended to throttle legit users like yourself.
I've allowed the stuck comments to go through and have merged the comments from your second account back into this one, so they're all in one place. I've also marked this account legit so you can post as much as you want. Welcome to HN in any case! Let us know at hn@ycombinator.com if we can help with anything.
I got it after many attempts but, I confess, by tinkering directly with the `cheapHasher` JS function in the console. With that in-game form? it could have taken ages to guess.
It's pretty nice! I just wish there was a button to zoom out, this got me confused at first and I refreshed the browser thinking it was a glitch. The desk has a + button to zoom, surely you could leave it there at all time and add a - button next to it.
Good point. The controls need better alignment. I had some trouble with the svg zoom and pan stuff and I was trying to stay away from using too many frameworks so the solution is still a bit buggy.
Concept reminds me of the hacking minigame from ‘Enter the Matrix’ on PlayStation 2. The game presented you with a DOS prompt and a few simple commands; you had to unlock new commands and uncover hidden information by exploring the file structure and inferring from the output of commands available to you.
Made a very positive impression on a much younger me. The DOS prompt on my parents’ PC had always been a bit scary, since I didn’t really know what I was doing and was worried I might mess something up. The game was a (very limited) sandbox in which I could mess around without consequences:
-The targets for mouse clicks are definitely too small (you've heard that already). Could also do something like clicking whilst zoomed in to zoom back out, or just standardising the buttons to +/-.
-Add a way to get all the way back to the preamble, and a writeable notepad of some description.
-Tighten up the initial login validation - I found plausible passwords that neither passed nor failed, if that makes sense. (DM me for details, or I can write up here if you like.)
It was nice to take a break after work and have a quick challenge. I guess the hard part was the password, after login it was over quickly. The game almost lost me on password guessing, I misunderstood something and had a different date. Hammering away at the password wasn't fun. Between guessing the name, the date, the date format, and case sensitivity, it leaves one with too many options to hammer away at manually.
Yeah the JS gives some snide comments about this being the 'creative' way. But this is what I like about pentesting. There is no good or bad way. If you get stuck, try something else. Any way you can break the system is a good one.
Solid prototype! As others have pointed out the clicking is a bit janky on Firefox but the exploratory aspect and world building is well done.
One thing I noticed is that the real online banking window displays "UPC Bank" in the title bar (just like the fake one). I guess that's a mistake since that was one of the main giveaways that it was fake.
Did anybody else notice the password d3cem8er5 generates the correct cheapHash of 3880, but the salted hash fails. I get redirected to a non-existing page (ie. get a 404). Was that an intentional red herring or just a coincidence lol?
Are the "File 1" and "File 2" links in mail supposed to open something? I got to that point and I think that's how to find the bank account number but I'm not sure.
I think it's nice. I'd defintely play another one if you made it. I completed the first part of the puzzle, but wasn't able to figure out where Anne went.
I suspect that you should be able to find the location from the Annie's bank transactions, but I don't know the account code (and ahem looking at the JS source, it seems that only the company account is implemented)
Ah, my bad... didn't find the personal acc number as well. The passwords are way too easy to find, yes, but you're not tracking down a security engineer but an "everyday Karen" :)
"Aah! You've found an end of the prototype. This will be the place where you can figure out where Anne might be...
However, if you haven't stopped the transactions yet, keep playing :)"
I found that too. It’s just that there is a lot of detail, eg in the emails etc, that don’t seem to contribute anything to the game, and then you hit this abrupt place where it says “this will tell you where Anne is”, but it doesn’t.
It feels like there should be some other thing to explore somewhere that makes sense of the emails and the cake and the odd tweets.
I would say that is equivalent to asking Marwin. So you pass :)
In fact, this is a welcome solution to the game. When used as an educational tool, this can be used as a starting point to discuss ways to bypass intended ways of accessing something.
Yeah the click zone on the object where you find the bank account is so small I thought it wasn't clickable. In the end I looked at the JS and then it became clear where it was and that it was actually clickable.
PS: Marwin sounds like a dick. He's whinging about her holidays and doesn't even know about her newborn, clearly didn't give her maternity leave either. I don't think I'd actually help him :D
I will gladly provide hints here if you get stuck :)
Many thanks also to atum47, whose FOS, Fake Operating System I've used for the game. You can find it here: https://github.com/victorqribeiro/fos
We have developed the game at the University of Applied Sciences and Arts Northwestern Switzerland, School of Business, Institute for Cyber Security & Cyber Resilience. https://www.fhnw.ch/en/about-fhnw/schools/business/iwi/cyber...
The game is based on a student work that has been published here: Schneider, Bettina, and Trupti Zanwar. "CySecEscape–Escape Room Technique to Raise Cybersecurity Awareness in SMEs." https://conference.pixel-online.net/FOE/files/foe/ed0010/FP/...