Cyberpunk 2077 Collector's Edition Easter Egg(s)

Disclaimer

Since I first started writing, CD Project Red (CDPR) has stopped serving the IP address and domain contained within this post. It is unfortunate that readers can no longer follow along to see the Easter Egg(s) CDPR put out there for people to find.

Instead, you'll have to just take my writing for what it's worth. 🤷‍♂️

Mainstream Hacking

Some good and mostly accurate examples of computer forensics within Hollywood are The Social Network and The Matrix.

However, for every good example, there are many more face palms:

• NCIS 2 Idiots 1 Keyboard
• Castle
• NCIS: Getting Hacked Through A Power Cable

Which is why watching the Cyberpunk 2077 Collector's Edition Unboxing video had me so happy -- they get it right!

The What

The opening frames show the usage of a few tools:

• nmap: Network discovery
• sshscan: Hadn't heard of this before, but seems like a crypto cipher enumerator
• ssh: Remote logins

Some details the tools use:

• Domain: internal-cdprojecktred.com
• Port: 2020
• Username: samurai
• Password list: pwddb.txt
• Password: WhenItsReady

The How

(I'm running these tools in kalilinux/kali-linux-docker.)

The domain, internal-cdprojektred.com is given us:

# dig +noall +answer internal-cdprojektred.com @8.8.8.8
internal-cdprojektred.com. 3599 IN      A       46.101.148.249



# ping -c 1 internal-cdprojektred.com
PING internal-cdprojektred.com (46.101.148.249) 56(84) bytes of data.

--- internal-cdprojektred.com ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms



# traceroute 46.101.148.249
traceroute to 46.101.148.249 (46.101.148.249), 30 hops max, 60 byte packets  
 1  172.17.0.1 (172.17.0.1)  1.581 ms  1.487 ms  1.450 ms
 2  10.50.11.1 (10.50.11.1)  3.986 ms  3.985 ms  4.038 ms
 3  96.120.88.113 (96.120.88.113)  11.686 ms  17.663 ms  16.383 ms
 4  be-10008-rur01.santaclara.ca.sfba.comcast.net (162.151.30.161)  17.855 ms  17.654 ms  17.588 ms
 5  be-232-rar01.santaclara.ca.sfba.comcast.net (162.151.78.253)  17.238 ms  17.261 ms  17.233 ms
 6  be-3651-cr02.sunnyvale.ca.ibone.comcast.net (68.86.91.73)  17.343 ms  12.798 ms  11.679 ms
 7  be-11083-pe02.529bryant.ca.ibone.comcast.net (68.86.84.14)  16.934 ms  10.560 ms  16.980 ms
 8  ix-xe-0-1-1-0.tcore1.pdi-palo-alto.as6453.net (66.198.127.33)  16.724 ms ix-xe-1-3-0-0.tcore1.pdi-palo-alto.as6453.net (66.198.127.13)  16.086 ms ix-xe-8-1-0-2-0.tcore1.pdi-palo-alto.as6453.net (66.198.127.17)  16.487 ms
 9  if-ae-2-2.tcore2.pdi-palo-alto.as6453.net (66.198.127.2)  155.684 ms  154.821 ms  155.476 ms
10  if-ae-5-2.tcore2.sqn-san-jose.as6453.net (64.86.21.1)  168.293 ms  167.327 ms  167.805 ms  
11  if-ae-1-2.tcore1.sqn-san-jose.as6453.net (63.243.205.1)  167.752 ms  167.628 ms  160.262 ms  
12  if-ae-12-2.tcore1.nto-new-york.as6453.net (63.243.128.28)  164.536 ms if-ae-0-2.tcore1.nto-new-york.as6453.net (63.243.128.30)  169.497 ms if-ae-12-2.tcore1.nto-new-york.as6453.net (63.243.128.28)  163.594 ms  
13  if-ae-7-2.tcore1.n0v-new-york.as6453.net (63.243.128.26)  168.736 ms  166.945 ms  167.548 ms  
14  if-ae-2-2.tcore2.n0v-new-york.as6453.net (216.6.90.22)  157.750 ms if-ae-14-2.tcore2.av2-amsterdam.as6453.net (80.231.131.161)  150.210 ms  153.890 ms  
15  if-ae-2-2.tcore1.av2-amsterdam.as6453.net (195.219.194.5)  151.994 ms if-ae-4-2.tcore2.l78-london.as6453.net (80.231.131.157)  163.597 ms if-ae-2-2.tcore1.av2-amsterdam.as6453.net (195.219.194.5)  152.652 ms  
16  if-ae-6-2.tcore1.fnm-frankfurt.as6453.net (195.219.194.150)  160.780 ms if-ae-14-2.tcore2.av2-amsterdam.as6453.net (80.231.131.161)  157.217 ms if-ae-6-2.tcore1.fnm-frankfurt.as6453.net (195.219.194.150)  160.609 ms  
17  if-ae-7-2.tcore1.fr0-frankfurt.as6453.net (195.219.50.1)  151.111 ms if-ae-2-2.tcore1.av2-amsterdam.as6453.net (195.219.194.5)  154.288 ms  155.822 ms  
18  195.219.50.42 (195.219.50.42)  151.091 ms if-ae-6-2.tcore1.fnm-frankfurt.as6453.net (195.219.194.150)  162.661 ms if-ae-45-2.tcore1.fr0-frankfurt.as6453.net (195.219.50.20)  152.229 ms  
19  * if-ae-9-2.tcore2.fr0-frankfurt.as6453.net (5.23.30.17)  156.742 ms *  
20  195.219.50.90 (195.219.50.90)  179.053 ms * *  
21  * * 195.219.50.42 (195.219.50.42)  155.377 ms  
33  * * *  

So this is an actual domain, but the host (and some routers along the way) does not accept ICMP traffic. The domain's registrar is Amazon based on the WHOIS lookup, but its details are private beyond this. I also looked to see if this IP address is owned by Amazon:

#! /usr/bin/env python3

from ipaddress import ip_interface, ip_address  
import json  
import requests  
import sys


URL = 'https://ip-ranges.amazonaws.com/ip-ranges.json'


def is_aws_ip(ip):  
    aws = requests.get(URL).json()
    awsv4 = {ip_interface(a['ip_prefix']): a for a in aws['prefixes']}
    awsv6 = {ip_interface(a['ipv6_prefix']): a for a in aws['ipv6_prefixes']}
    aws = {**awsv4, **awsv6}

    if '/' in ip:
        ip = ip_interface(ip)
    else:
        ip = ip_address(ip)

    return [v for k, v in aws.items() if ip in k.network]


if __name__ == "__main__":  
    ret = is_aws_ip(sys.argv[1])
    print(json.dumps(ret, indent=2))
    exit(0 if ret else 1)

Which it's not:

root@2a684adb05fa:/# python3 aws.py 46.101.148.249 ; echo $?  
[]
1  

The empty list and 1 return code indicate no AWS address block contains the supplied IP.

Using nmap to see what's open, as they demonstrated, shows open ports with the associated service/version:

# nmap -sV internal-cdprojektred.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-28 23:18 UTC  
Nmap scan report for internal-cdprojektred.com (46.101.148.249)  
Host is up (0.00074s latency).  
Not shown: 999 closed ports  
PORT     STATE SERVICE    VERSION  
2020/tcp open  tcpwrapped

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
Nmap done: 1 IP address (1 host up) scanned in 15.45 seconds  

A quick scan (-sV) shows port 2020 to be LISTENing, colloquially named tcpwrapped, but it's actually an SSH server.

The Disappointment

It was at this point in writing the blog post that I waited too long.

CDPR took down their domain name:

# dig +noall +answer internal-cdprojektred.com @8.8.8.8 | wc -l
0  

No DNS ANSWER given.

And the IP Address + port 2020 is no longer LISTENing:

# nc -zw 3 46.101.148.249 2020 ; echo $?
1  

No TCP connection can be made with the previously known IP address and port.

So, my further investigations are halted. I wanted to show their usage of a special, restricted shell called rbash which had certain features disabled. It was really neat.

I also cannot show the interaction in transferring content from their server to my client using scp, but I can at least show the recipe:

# scp -vrP 2020 [email protected]:Cyberpunk_2077 .

• scp: secure copy (remote file copy program)
• -vrP 2020
  • verbose
  • recursively copy directories
  • which Port should be used, in this case 2020
• [email protected]: the username and domain hinted us
• :Cyberpunk_2077: the remote directory name from which we want to copy, relative (:) to the samurai user's home folder (so probably something like /home/samurai/Cyberpunk_2077)
• .: the local directory to which we want to copy

The Content

Luckily, I did grab the Cyberpunk 2077 content while it was available.

Looking forward to playing Cyberpunk 2077 when it releases!