At the conclusion of Google IO this year, Firebase launched a challenge to follow digital clues for a shot at a free ticket to IO17 next year. I ultimately solved the puzzle although it was a little too late. I was not in the first 100 so no ticket for me.
Here is how I did it:
I was pointed to the start of the challenge from a twitter post pointing to https://firebase.foo.
This was a faux version of https://firebase.google.com. The gist is that someone mistyped firebase as firebass and has unleashed a time traveling bass on the internet!
Anyone familiar with html should be able to spot the problematic link that looks like it is sending you to an admin interface. Some playing around eventually led me to replace firebase with firebass. That brought me to a login page.
Inspecting the elements on this page I found two things: the image name and alt text were
<img alt="01101000011001110111011101100101011011000110110001110011" src="../../images/01101000011001110111011101100101011011000110110001110011.png">
and the action on the login form had an error in it about an invalid character in author name.
Pasting the binary value in an online binary to ascii converter yielded the text hgwells. Adding that to the broken link got me to https://probassfinders.foo/home/hgwells.html.
Aside from some distractions like a web based terminal, the obvious next step here is a My Account link in the upper left. Following this link takes you to another login page with a cool ascii art image of a bass. If you pay attention, you will see some hex numbers that are a different color. If you take the highlighted hex numbers and convert them to ascii they spell "Members and Affiliates of the Intergalactic Computer Network". Weird! A quick Google search leads to a paper by J.C.R Licklider (who is an interesting fellow in his own right). But what to do with this clue? Some more digging and I noticed the title of the page looked like it was base64 encoded: Li4vLi4vYmFzcy9qY3IqKioqKioqKiouaHRtbA== which decodes to ../../bass/jcr*********.html. Aha! https://probassfinders.foo/bass/jcrlicklider.html
Hmmmm, 64 boxes with two possible states? A little javascript to generate a string of 1's and 0's and back to the binary to ascii converter: blp.html.
At this point there was originally a timer counting down and the terminal displayed an error message with the path to a log file. The log file is a base64 encoded png.
The dialog in the fake terminal gave me the clue as to what to do here. It mentioned a delta. The png consisted of transparent pixels and black pixels. I duplicated it as a layer in gimp and started shifting it around. A shift (or delta) of 111 pixels horizontally exposed some text. A vertical shift cleared up the overlapping pattern to reveal what appeared to be mv firebass. Thanks to some fellow bass hunters on twitter who were much better at image manipulation it was revealed to be mv firebass firebase.
After the timer expired, a time portal page was displayed.
This had a direct link to https://probassfinders.foo/walleyejournal/home.html.
Now at this point I did take the easy way out. While working out the individual clues, including tracking down the coordinates in the animated gif, someone posted the solution URL to twitter. Oh well, I'll take it I thought. So off I went to https://probassfinders.foo/walleyejournal/SILO.html.
This was another page with a timer where I had to wait a couple days. Once the timer ran out, it was another time portal page with a new url. There was also the base64 encoded image disguised as a log file. Shifting it as before reveals another clue. The file may be resistant, use the --force.
The next page was a 90's style fanclub page. It was similar to the last set of clues in that you had to navigate the site to find numbered clues and string them together to form a url. The interesting clue on this round was an icon that looked like it was supposed to play a wav file. Searching the code a bit revealed some actual Firebase code referencing a wav file called spectrogram.wav.
console.log('TODO: Complete connection to Firebase Storage');
var storageRef = firebase.app().storage().ref();
var file = storageRef.child('spectrogram.wav');
// TODO: Get download URL for file (https://developers.google.com/firebase/docs/storage/web/download-files)
In the javascript console, running file.getDownloadURL(); returns an object containing the direct download link for the wav file.
I downloaded a free Spectrogram generator called Spek. Opening the wav file yielded
So along with the easy clues, the whole url ended up being https://probassfinders.foo/000147/notafish/MOODMUSIC/Alex/FIN/index.html.
This ended up being the final page.
This time the terminal was actually usable. It was a text based game that should be pretty easy to work out without going through each one. Suffice to say that the end culminates with you using mv firebass firebase --force.
And there you go, you captured the firebass!
