A collection of "Mr. Robot" Season 2 Easter Egg Sites. #mrrobot #hackingrobot #robotegg

mr.robot_season-2_easter-egg-sites.md

Mr. Robot Season 2 Easter Egg Sites

1. Ransomware webpage

• Page Name: AdobeTracking.pageName = 'Mr. Robot : S2 Easter Egg Sites : Ransomware : Home';
• URL: http://i239.bxjyb2jvda.net/
• JS: http://i239.bxjyb2jvda.net/web_analytics.js
• Credit: https://0x41.no/mr-robot-s02e01-easter-egg/

On load, this page displays a countdown timer starting at 24:00:00. When time is over, the following "hidden" message is revealed:

I sincerely believe that banking establishments are more dangerous than standing armies, and that the principle of spending money to be paid by posterity, under the name of funding, is but swindling futurity on a large scale.
– Thomas Jefferson

2. E Corp maintenance page

• Page Name: AdobeTracking.pageName = 'Mr. Robot : S2 Easter Egg Sites : E Corp : Maintenance';
• URL: http://www.e-corp-usa.com/

Maintenance page for the fictive E Corp webpage. Opposite of the Evil Corp version.

3. Evil Corp maintenance page

• Page Name: AdobeTracking.pageName = 'Mr. Robot : S2 Easter Egg Sites : Evil Corp : Maintenance';
• URL: http://www.evil-corp-usa.com/

Maintenance page for the fictive Evil Corp webpage. Opposite of the E Corp version.

A subdomain of the evil corp site is shown in a S2 trailer on Facebook, when Elliot connects as follows:

ssh -l root bkuw300ps345672-cs30.serverfarm.evil-corp-usa.com

4. Confictura Industries webpage

• Page Name: AdobeTracking.pageName = 'Mr. Robot : S2 Easter Egg Sites : Confictura Industries : Home';
• URL: http://www.conficturaindustries.com/
• JS: http://www.conficturaindustries.com/js/webmaster_analytics.js
• Email: webmaster@conficturaindustries.com

GIF-bloated 90's "Under construction" webpage. Nothing special here (afaik).
In S02E01, the QR code in Elliot's notebook points to this website.

5. Others

• Who is Mr. Robot : 420 Hidden Image
• Who is Mr. Robot : July 4th Hidden Image

37.3992,-122.0333 are the coordinates of the host of the help desk email. Does this help? XD

https://compute.e-corp-usa.com/
Season three. Found via following his Shodan search on the premiere episode.
If I had to guess, I would say it probably requires an Apache exploit because it's labeled as an Apache website last changed in 2015- but I'm not willing to stray that far past the line of illegality to find out.

Reminds me of Equifax, actually.

If anyone does check into that, I would suggest contacting them before trying anything stupid, especially with their terms and conditions. (Full range of legal remedies, etc, etc.)

The page from the "shipping" scene:
https://www.e-corp-usa.com/cp/directory/shipping/1088989/
AdobeTracking.pageName = 'E-Corp USA Shipping : 1088989 : Login Error';

test@test.com lorem ipsum @mention and a code block

// @see
var x = '';

and one more:

// @see
var x = '';

Confictura Industries webpage - http://www.conficturaindustries.com/. Check the javascript here (specifically c.js). There are a bunch of events bound to the little site visit counter. Clicking the site visit counter changes the digit you click. Seems that data is being posted to /c.php and presumably if the code is right the server will send something interesting back...

Edit: This thread has outstanding work on this puzzle: https://www.reddit.com/r/ARGsociety/comments/54z4k1/the_confictura_industries_counter_puzzle_revisited/#thing_t1_d86psny

TLDR: setting the counter to 0736565 (or running curl http://www.conficturaindustries.com/check.php --data 'a=0736565&b=' -X POST) changes the counter to an input form but noone knows what the correct input to post is, and the native javascript on that page seems to just reload the current page on success anyway, so one should post from another utility.

I'm trying a brute force approach with values of b 0 to 1M. (Just save the following as check.py and run python check.py to run something similar).

import subprocess, json

for i in range(1000000):
  cmd = "curl http://www.conficturaindustries.com/check.php --data 'a=0736565&b={}' -X POST".format(i)
  response = subprocess.check_output(cmd, shell=True)
  j = json.loads(response.decode('utf8'))
  if j != {'response': True}:
    print(i, j)
    break

does anyone know the password for the DA_remote site that you get to after going to whoismrrobot.com/masscre ???

does anyone know the password for the DA_remote site that you get to after going to whoismrrobot.com/masscre ???

Catoptric