Skip to content

Instantly share code, notes, and snippets.

@eyecatchup
Last active August 23, 2023 03:12
  • Star 46 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save eyecatchup/84aec347c6a1b90890dad8953d7e8c67 to your computer and use it in GitHub Desktop.
A collection of "Mr. Robot" Season 2 Easter Egg Sites. #mrrobot #hackingrobot #robotegg

Mr. Robot Season 2 Easter Egg Sites

1. Ransomware webpage

On load, this page displays a countdown timer starting at 24:00:00. When time is over, the following "hidden" message is revealed:

I sincerely believe that banking establishments are more dangerous than standing armies, and that the principle of spending money to be paid by posterity, under the name of funding, is but swindling futurity on a large scale.
– Thomas Jefferson

2. E Corp maintenance page

Maintenance page for the fictive E Corp webpage. Opposite of the Evil Corp version.

3. Evil Corp maintenance page

Maintenance page for the fictive Evil Corp webpage. Opposite of the E Corp version.

A subdomain of the evil corp site is shown in a S2 trailer on Facebook, when Elliot connects as follows:

ssh -l root bkuw300ps345672-cs30.serverfarm.evil-corp-usa.com

4. Confictura Industries webpage

GIF-bloated 90's "Under construction" webpage. Nothing special here (afaik).
In S02E01, the QR code in Elliot's notebook points to this website.

5. Others

@eyecatchup
Copy link
Author

eyecatchup commented Jul 12, 2016

@GavinEke
Copy link

A side note about the evil corp subdomain in number 3.

bkuw300ps345672 is the hostname of the server which Elliot finds the fsociety00.dat file and CS30 is the "honeypot" Allsafe implements in Evil Corp's network,

@jeroenvisser101
Copy link

http://www.fsoc.sh/ -> "LEAVE ME HERE"

@glennferrie
Copy link

From Season 2 Episode 6, Did anyone figure out anything useful to do with the femtocell that Angela left under the desk @ E-Corp?

http://l4713116.e-corp-usa.com/ (address of the femtocell that Angela access from her terminal)

@saschalalala
Copy link

@glennferrie you can only cd bin and then ./EnableAttack with the same parameters Angela has to use in the episode. Nothing more afaik

@lesthack
Copy link

lesthack commented Aug 15, 2016

yep @saschalalala, some like that: ./EnableAttack femtopwn WLAN0,WLAN1 2

@aaranmcguire
Copy link

@thinkbeforecoding
Copy link

thinkbeforecoding commented Aug 19, 2016

There's also http://192.251.68.245 from the direction board in S02E06... with this strange message in the BBS:

I really love this BBS! I've been reading all kinds of things. The other day!
I looked at some cool ANSI Art. And then I Paged that Sysops guy! but he
didn't respond so I checked the bulletins, paged Sysops AGAIN, checked
out some ANSI Art and paged Sysops just to see if he was there and then
delved into the Bulletins section once more.

I tried the same sequence but could not find anything new

@GuiFV
Copy link

GuiFV commented Sep 16, 2016

Copy link

ghost commented Sep 23, 2016

If you type in "A P B P A P B" at the http://102.251.68.245 site, you can download 8 jpegs of "Affirmations".
You have to wait for the sysop to not respond after entering each "P".

Copy link

ghost commented Sep 23, 2016

If you type in "A P B P A P B" at the http://192.251.68.245 site, you can download 8 jpegs of "Affirmations".
You have to wait for the sysop to not respond after entering each "P".

@johnowhitaker
Copy link

e-corp-usa.com (the maintenance page) has an employee login option. evil-corp-usa.com does not, but going to http://www.evil-corp-usa.com/login/ gets you a username and password entry. No luck getting further so far.

@enociz
Copy link

enociz commented Sep 30, 2016

@eyecatchup @Rep7il3 found anything about the logins for the stage.*.com's?

@enociz
Copy link

enociz commented Sep 30, 2016

http://www.conficturaindustries.com/

Clicking the "Geocity of the day" image/widget takes you to http://www.red-wheelbarrow.com/. This also has a menu... I'm not sure what more you'd want with it. The Red Wheelbarrow is where Tyrell draws his quote from at the start of the S2E12.

@philerooski
Copy link

An employee at my company sent us the "Ransomware webpage" as a link - no comments whatsoever - via Slack and we ended up banning his Slack account before realizing the joke. Way too legitimate!

@jamiechong
Copy link

@johnowhitaker perhaps the username is Angela_Moss as seen in S02E06 00:31:39

@jamiechong
Copy link

jamiechong commented Oct 14, 2016

@johnowhitaker Actually the login info to http://www.e-corp-usa.com/login can be found at S02E09 00:15:12
u: joseph.green
p: holidayarmadillo

Sending an email to the "help desk" gives a nice auto response, with possibly some more easter eggs. The email sent to me has a case number 5B834E0D662F4E004E2A586B5B576E38620F are they all the same?

@MonkeyDo
Copy link

@jamiechong, confirmed, case number 5B834E0D662F4E004E2A586B5B576E38620F

@merlinnusr
Copy link

http://www.racksure.com/
https://www.seeso.com/ (keep an eye on stage.seeso.com)

In What episode, this sites appears ?

@Krolo2
Copy link

Krolo2 commented May 24, 2017

37.3992,-122.0333 are the coordinates of the host of the help desk email. Does this help? XD

@0x44616564616c7573
Copy link

https://compute.e-corp-usa.com/
Season three. Found via following his Shodan search on the premiere episode.
If I had to guess, I would say it probably requires an Apache exploit because it's labeled as an Apache website last changed in 2015- but I'm not willing to stray that far past the line of illegality to find out.

Reminds me of Equifax, actually.

If anyone does check into that, I would suggest contacting them before trying anything stupid, especially with their terms and conditions. (Full range of legal remedies, etc, etc.)

@krisztian999tr
Copy link

krisztian999tr commented May 9, 2018

The page from the "shipping" scene:
https://www.e-corp-usa.com/cp/directory/shipping/1088989/
AdobeTracking.pageName = 'E-Corp USA Shipping : 1088989 : Login Error';

@eyecatchup
Copy link
Author

eyecatchup commented Mar 17, 2019

test@test.com lorem ipsum @mention and a code block

// @see
var x = '';

and one more:

// @see
var x = '';

@duhaime
Copy link

duhaime commented Sep 28, 2019

Confictura Industries webpage - http://www.conficturaindustries.com/. Check the javascript here (specifically c.js). There are a bunch of events bound to the little site visit counter. Clicking the site visit counter changes the digit you click. Seems that data is being posted to /c.php and presumably if the code is right the server will send something interesting back...

Edit: This thread has outstanding work on this puzzle: https://www.reddit.com/r/ARGsociety/comments/54z4k1/the_confictura_industries_counter_puzzle_revisited/#thing_t1_d86psny

TLDR: setting the counter to 0736565 (or running curl http://www.conficturaindustries.com/check.php --data 'a=0736565&b=' -X POST) changes the counter to an input form but noone knows what the correct input to post is, and the native javascript on that page seems to just reload the current page on success anyway, so one should post from another utility.

I'm trying a brute force approach with values of b 0 to 1M. (Just save the following as check.py and run python check.py to run something similar).

import subprocess, json

for i in range(1000000):
  cmd = "curl http://www.conficturaindustries.com/check.php --data 'a=0736565&b={}' -X POST".format(i)
  response = subprocess.check_output(cmd, shell=True)
  j = json.loads(response.decode('utf8'))
  if j != {'response': True}:
    print(i, j)
    break

@ferret786
Copy link

does anyone know the password for the DA_remote site that you get to after going to whoismrrobot.com/masscre ???

@pikami
Copy link

pikami commented Oct 13, 2019

does anyone know the password for the DA_remote site that you get to after going to whoismrrobot.com/masscre ???

Catoptric

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment