Skip to content

Instantly share code, notes, and snippets.

@eyecatchup
Last active April 4, 2024 10:39
Show Gist options
  • Save eyecatchup/84aec347c6a1b90890dad8953d7e8c67 to your computer and use it in GitHub Desktop.
Save eyecatchup/84aec347c6a1b90890dad8953d7e8c67 to your computer and use it in GitHub Desktop.
A collection of "Mr. Robot" Season 2 Easter Egg Sites. #mrrobot #hackingrobot #robotegg

Mr. Robot Season 2 Easter Egg Sites

1. Ransomware webpage

On load, this page displays a countdown timer starting at 24:00:00. When time is over, the following "hidden" message is revealed:

I sincerely believe that banking establishments are more dangerous than standing armies, and that the principle of spending money to be paid by posterity, under the name of funding, is but swindling futurity on a large scale.
– Thomas Jefferson

2. E Corp maintenance page

Maintenance page for the fictive E Corp webpage. Opposite of the Evil Corp version.

3. Evil Corp maintenance page

Maintenance page for the fictive Evil Corp webpage. Opposite of the E Corp version.

A subdomain of the evil corp site is shown in a S2 trailer on Facebook, when Elliot connects as follows:

ssh -l root bkuw300ps345672-cs30.serverfarm.evil-corp-usa.com

4. Confictura Industries webpage

GIF-bloated 90's "Under construction" webpage. Nothing special here (afaik).
In S02E01, the QR code in Elliot's notebook points to this website.

5. Others

@jamiechong
Copy link

@johnowhitaker perhaps the username is Angela_Moss as seen in S02E06 00:31:39

@jamiechong
Copy link

jamiechong commented Oct 14, 2016

@johnowhitaker Actually the login info to http://www.e-corp-usa.com/login can be found at S02E09 00:15:12
u: joseph.green
p: holidayarmadillo

Sending an email to the "help desk" gives a nice auto response, with possibly some more easter eggs. The email sent to me has a case number 5B834E0D662F4E004E2A586B5B576E38620F are they all the same?

@MonkeyDo
Copy link

@jamiechong, confirmed, case number 5B834E0D662F4E004E2A586B5B576E38620F

@merlinnusr
Copy link

http://www.racksure.com/
https://www.seeso.com/ (keep an eye on stage.seeso.com)

In What episode, this sites appears ?

@Krolo2
Copy link

Krolo2 commented May 24, 2017

37.3992,-122.0333 are the coordinates of the host of the help desk email. Does this help? XD

@0x44616564616c7573
Copy link

https://compute.e-corp-usa.com/
Season three. Found via following his Shodan search on the premiere episode.
If I had to guess, I would say it probably requires an Apache exploit because it's labeled as an Apache website last changed in 2015- but I'm not willing to stray that far past the line of illegality to find out.

Reminds me of Equifax, actually.

If anyone does check into that, I would suggest contacting them before trying anything stupid, especially with their terms and conditions. (Full range of legal remedies, etc, etc.)

@krisztian999tr
Copy link

krisztian999tr commented May 9, 2018

The page from the "shipping" scene:
https://www.e-corp-usa.com/cp/directory/shipping/1088989/
AdobeTracking.pageName = 'E-Corp USA Shipping : 1088989 : Login Error';

@eyecatchup
Copy link
Author

eyecatchup commented Mar 17, 2019

[email protected] lorem ipsum @mention and a code block

// @see
var x = '';

and one more:

// @see
var x = '';

@duhaime
Copy link

duhaime commented Sep 28, 2019

Confictura Industries webpage - http://www.conficturaindustries.com/. Check the javascript here (specifically c.js). There are a bunch of events bound to the little site visit counter. Clicking the site visit counter changes the digit you click. Seems that data is being posted to /c.php and presumably if the code is right the server will send something interesting back...

Edit: This thread has outstanding work on this puzzle: https://www.reddit.com/r/ARGsociety/comments/54z4k1/the_confictura_industries_counter_puzzle_revisited/#thing_t1_d86psny

TLDR: setting the counter to 0736565 (or running curl http://www.conficturaindustries.com/check.php --data 'a=0736565&b=' -X POST) changes the counter to an input form but noone knows what the correct input to post is, and the native javascript on that page seems to just reload the current page on success anyway, so one should post from another utility.

I'm trying a brute force approach with values of b 0 to 1M. (Just save the following as check.py and run python check.py to run something similar).

import subprocess, json

for i in range(1000000):
  cmd = "curl http://www.conficturaindustries.com/check.php --data 'a=0736565&b={}' -X POST".format(i)
  response = subprocess.check_output(cmd, shell=True)
  j = json.loads(response.decode('utf8'))
  if j != {'response': True}:
    print(i, j)
    break

@ferret786
Copy link

does anyone know the password for the DA_remote site that you get to after going to whoismrrobot.com/masscre ???

@pikami
Copy link

pikami commented Oct 13, 2019

does anyone know the password for the DA_remote site that you get to after going to whoismrrobot.com/masscre ???

Catoptric

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment