Disclaimer
Since I first started writing, CD Project Red (CDPR) has stopped serving the IP address and domain contained within this post. It is unfortunate that readers can no longer follow along to see the Easter Egg(s) CDPR put out there for people to find.
Instead, you'll have to just take my writing for what it's worth. 🤷♂️
Mainstream Hacking
Some good and mostly accurate examples of computer forensics within Hollywood are The Social Network and The Matrix.
However, for every good example, there are many more face palms:
Which is why watching the Cyberpunk 2077 Collector's Edition Unboxing video had me so happy -- they get it right!
The What
The opening frames show the usage of a few tools:
nmap
: Network discoverysshscan
: Hadn't heard of this before, but seems like a crypto cipher enumeratorssh
: Remote logins
Some details the tools use:
- Domain:
internal-cdprojecktred.com
- Port:
2020
- Username:
samurai
- Password list:
pwddb.txt
- Password:
WhenItsReady
The How
(I'm running these tools in kalilinux/kali-linux-docker.)
The domain, internal-cdprojektred.com
is given us:
# dig +noall +answer internal-cdprojektred.com @8.8.8.8
internal-cdprojektred.com. 3599 IN A 46.101.148.249
# ping -c 1 internal-cdprojektred.com
PING internal-cdprojektred.com (46.101.148.249) 56(84) bytes of data.
--- internal-cdprojektred.com ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
# traceroute 46.101.148.249
traceroute to 46.101.148.249 (46.101.148.249), 30 hops max, 60 byte packets
1 172.17.0.1 (172.17.0.1) 1.581 ms 1.487 ms 1.450 ms
2 10.50.11.1 (10.50.11.1) 3.986 ms 3.985 ms 4.038 ms
3 96.120.88.113 (96.120.88.113) 11.686 ms 17.663 ms 16.383 ms
4 be-10008-rur01.santaclara.ca.sfba.comcast.net (162.151.30.161) 17.855 ms 17.654 ms 17.588 ms
5 be-232-rar01.santaclara.ca.sfba.comcast.net (162.151.78.253) 17.238 ms 17.261 ms 17.233 ms
6 be-3651-cr02.sunnyvale.ca.ibone.comcast.net (68.86.91.73) 17.343 ms 12.798 ms 11.679 ms
7 be-11083-pe02.529bryant.ca.ibone.comcast.net (68.86.84.14) 16.934 ms 10.560 ms 16.980 ms
8 ix-xe-0-1-1-0.tcore1.pdi-palo-alto.as6453.net (66.198.127.33) 16.724 ms ix-xe-1-3-0-0.tcore1.pdi-palo-alto.as6453.net (66.198.127.13) 16.086 ms ix-xe-8-1-0-2-0.tcore1.pdi-palo-alto.as6453.net (66.198.127.17) 16.487 ms
9 if-ae-2-2.tcore2.pdi-palo-alto.as6453.net (66.198.127.2) 155.684 ms 154.821 ms 155.476 ms
10 if-ae-5-2.tcore2.sqn-san-jose.as6453.net (64.86.21.1) 168.293 ms 167.327 ms 167.805 ms
11 if-ae-1-2.tcore1.sqn-san-jose.as6453.net (63.243.205.1) 167.752 ms 167.628 ms 160.262 ms
12 if-ae-12-2.tcore1.nto-new-york.as6453.net (63.243.128.28) 164.536 ms if-ae-0-2.tcore1.nto-new-york.as6453.net (63.243.128.30) 169.497 ms if-ae-12-2.tcore1.nto-new-york.as6453.net (63.243.128.28) 163.594 ms
13 if-ae-7-2.tcore1.n0v-new-york.as6453.net (63.243.128.26) 168.736 ms 166.945 ms 167.548 ms
14 if-ae-2-2.tcore2.n0v-new-york.as6453.net (216.6.90.22) 157.750 ms if-ae-14-2.tcore2.av2-amsterdam.as6453.net (80.231.131.161) 150.210 ms 153.890 ms
15 if-ae-2-2.tcore1.av2-amsterdam.as6453.net (195.219.194.5) 151.994 ms if-ae-4-2.tcore2.l78-london.as6453.net (80.231.131.157) 163.597 ms if-ae-2-2.tcore1.av2-amsterdam.as6453.net (195.219.194.5) 152.652 ms
16 if-ae-6-2.tcore1.fnm-frankfurt.as6453.net (195.219.194.150) 160.780 ms if-ae-14-2.tcore2.av2-amsterdam.as6453.net (80.231.131.161) 157.217 ms if-ae-6-2.tcore1.fnm-frankfurt.as6453.net (195.219.194.150) 160.609 ms
17 if-ae-7-2.tcore1.fr0-frankfurt.as6453.net (195.219.50.1) 151.111 ms if-ae-2-2.tcore1.av2-amsterdam.as6453.net (195.219.194.5) 154.288 ms 155.822 ms
18 195.219.50.42 (195.219.50.42) 151.091 ms if-ae-6-2.tcore1.fnm-frankfurt.as6453.net (195.219.194.150) 162.661 ms if-ae-45-2.tcore1.fr0-frankfurt.as6453.net (195.219.50.20) 152.229 ms
19 * if-ae-9-2.tcore2.fr0-frankfurt.as6453.net (5.23.30.17) 156.742 ms *
20 195.219.50.90 (195.219.50.90) 179.053 ms * *
21 * * 195.219.50.42 (195.219.50.42) 155.377 ms
33 * * *
So this is an actual domain, but the host (and some routers along the way) does not accept ICMP traffic. The domain's registrar is Amazon based on the WHOIS
lookup, but its details are private beyond this. I also looked to see if this IP address is owned by Amazon:
#! /usr/bin/env python3
from ipaddress import ip_interface, ip_address
import json
import requests
import sys
URL = 'https://ip-ranges.amazonaws.com/ip-ranges.json'
def is_aws_ip(ip):
aws = requests.get(URL).json()
awsv4 = {ip_interface(a['ip_prefix']): a for a in aws['prefixes']}
awsv6 = {ip_interface(a['ipv6_prefix']): a for a in aws['ipv6_prefixes']}
aws = {**awsv4, **awsv6}
if '/' in ip:
ip = ip_interface(ip)
else:
ip = ip_address(ip)
return [v for k, v in aws.items() if ip in k.network]
if __name__ == "__main__":
ret = is_aws_ip(sys.argv[1])
print(json.dumps(ret, indent=2))
exit(0 if ret else 1)
Which it's not:
root@2a684adb05fa:/# python3 aws.py 46.101.148.249 ; echo $?
[]
1
The empty list and 1 return code indicate no AWS address block contains the supplied IP.
Using nmap
to see what's open, as they demonstrated, shows open ports with the associated service/version:
# nmap -sV internal-cdprojektred.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-28 23:18 UTC
Nmap scan report for internal-cdprojektred.com (46.101.148.249)
Host is up (0.00074s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
2020/tcp open tcpwrapped
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.45 seconds
A quick scan (
-sV
) shows port 2020 to beLISTEN
ing, colloquially namedtcpwrapped
, but it's actually an SSH server.
The Disappointment
It was at this point in writing the blog post that I waited too long.
CDPR took down their domain name:
# dig +noall +answer internal-cdprojektred.com @8.8.8.8 | wc -l
0
No DNS
ANSWER
given.
And the IP Address + port 2020 is no longer LISTEN
ing:
# nc -zw 3 46.101.148.249 2020 ; echo $?
1
No TCP connection can be made with the previously known IP address and port.
So, my further investigations are halted. I wanted to show their usage of a special, restricted shell called rbash which had certain features disabled. It was really neat.
I also cannot show the interaction in transferring content from their server to my client using scp
, but I can at least show the recipe:
# scp -vrP 2020 [email protected]:Cyberpunk_2077 .
scp
: secure copy (remote file copy program)-vrP 2020
v
erboser
ecursively copy directories- which
P
ort should be used, in this case 2020
[email protected]
: the username and domain hinted us:Cyberpunk_2077
: the remote directory name from which we want to copy, relative (:
) to thesamurai
user's home folder (so probably something like/home/samurai/Cyberpunk_2077
).
: the local directory to which we want to copy
The Content
Luckily, I did grab the Cyberpunk 2077 content while it was available.
Looking forward to playing Cyberpunk 2077 when it releases!