Jamie Ward — Web Design & Development

Jamie Ward

Hello, I'm Jamie Ward, a web developer from Mablethorpe, Lincolnshire, England. I design & develop websites for small businesses and organisations, focusing on lightweight, mobile-friendly, and easy to update sites. I use a combination of my imagination, my 9 years of experience, and best practices to create simple, yet powerful websites. I use a bespoke content management system that I have been working on to allow my clients update their own websites with ease.

CuriositY - A quick walk through and how-to guide

Posted on 16 Feb 2018

I came across this game the other day when a person I follow on Github stared it. The name instantly sparked my curiosity. So what is curiositY? It's a web based level game made by a guy called David Peter where you complete the current challenge to move onto the next, sort of like the classic and well known HackThisSite. So, to begin, visit CurisoitY at shark.dish/curiosity. At the current time of writing this article, there are 15 different challenges, starting from easy and getting slightly more difficult as the levels progress.

For those who wish to go through the challenges yourself, stop reading here! I'm going to walk you through each challenge as I completed it myself. I may not have the best solutions for these challenges, so if there's a better method, please let me know. There's a spoiler alert for anything below the line.

Challenge 1

After visiting the above link to curiositY, you're faced with a simple page with what appears to be three objects, their logo which appears on each and every page, and two purple boxes at either end of the screen. Clicking either box will take you to a "there is nothing here page". The solution? Click the hidden box in the middle, this will take you to middle.html, where you can progress to the next level.

Challenge 2 - Increment

The hint we're given: lvl++;

As with the last challenge, this one is fairly straight forward. The URL is formatted in the following way: /curiosity/level002/increment.html. Going to /curiosity/level003/increment.html takes us to the next challenge.

Challenge 3

The hint we're given: < />

Looks a lot like an opening and closing XML tag that HTML uses... maybe we should look at the source code of this page? <!-- applause.html --> Ah! Going to that page completes this challenge, and takes us onto the next.

Challenge 4 - JS

This time we are not given a hint like the previous few challenges. Although, we do notice that the page is called js.html. Working with the little we know, we open up Google's Inspector tool and open the console. We see the following output: iso.html. Going to that page completes this challenge, and takes us onto the next.

Challenge 5 - Terminal

This one is a little interesting. We are presented with a terminal-like page. Let's run the ls command, and see what happens. The terminal quickly updates with a single directory named "curiosity". Entering this directory and running the ls command again gives us a list of files, and directories with the levels we have completed so far. Overall, not very interesting, or useful. Maybe there's a hidden file? Running ls -la gives us the following output in the terminal screen: "This 'ls' command does not support any options.". Okay, so let's stop with this line of thought. We can have an educated guess that this terminal-like feature is built form Javascript. Let's see if the source code will give us any hints.

Looking at the source code, and we see a link to a JS file called terminal.js. Taking a look at that file, and we see that it's an utter mess. Looks like it's been obfuscated. Visiting jsnice.org, posting the contents of the JS file into the left box, and clicking the "Nicify Javascript" button cleans up this mess, and allows us to read the file in almost plain Javascript.

The first thing this deobfuscated file shows us is an array like so:

/** @type {Array} */ var _0xb6ae = ["/", "trim", "", "replace", "length", "This 'ls' command only supports a single argument", "error", "-", "This 'ls' command does not support any options.", ".", "[[;#ff0099;]curiosity]", "echo", "/curiosity", "curiosity.png [[;#ff0099;]level001] [[;#ff0099;]level003] [[;#ff0099;]level005]\n", "index.html [[;#ff0099;]level002] [[;#ff0099;]level004] main.css\n", "/curiosity/level005", "jquery-3.1.1.min.js quiff.html terminal.html\n", "jquery.terminal.min.js terminal.css terminal.js", "Access to '", "' denied.", "Wrong use of 'cd' command.", "curiosity", "level005", "curiosity/level005", "..", "So this is your only concern?\n", "Seeing if the 'echo' command works? :-)", "This is not MS-DOS.", "'curiosity' is a directory.", "shell", " > ", "terminal", "#shell"];

We've seen most of this output already whilst playing around with the ls command. However, there are a few file names we have not seen, and one in particular sticks out to me: quiff.html. Going to that URL completes this challenge, and takes us onto the next.

Challenge 6 - Layer

Other than the file name layer.html, there's no obvious hint whilst first visiting this page. There's just a blank, non-clickable, rounded box on the screen. Looking at the source code, and we can see this image is an SVG image. My knowledge on SVG's is quite limited...

Opening up blob.svg in a text editor shows the rectangle we're seeing on screen and a group of path objects that appear to be hidden. Removing the rect tag shows the message hidden beneath, behind.html. Going to that URL completes this challenge, and takes us onto the next.

Challenge 7 - Uber

We are given the sentence "Vita, universum, omnia.". Looks a little Latin to me. Doing a quick Google translate on this phase gives us: "Our life, the universe, all things." Well, even though I have never got around to watching Hitchhikers Guide to the Galaxy (I know...) I'm well aware that the answer to their the famous question is 42.

Going to 42.html completes this challenge, and takes us onto the next.

Challenge 8 - 42

We are given the following hint: =DEC2BIN(...). Let's assume that DEC stands for Decimal, and Bin stands for binary. This seems simple enough. 42(decimal) in binary is 101010. Going to 101010.html completes this challenge, and takes us onto the next.

Challenge 9 - CVS

This one had me stumped for a good hour before I gave up and went bed. I wouldn't say it was hard, I was just... lost for words, almost.

So the hint we are given here is shape.cvs. Going to /shape.cvs, we are able to access and download the CVS file. A CVS file, those who are unaware, stands for Comma Separated Values. Often meant for storing data in table structured format, and used in spreadsheet applications. Taking a look at this file shows a large number of values, which appear to be plots of some sort? X, Y & Z? Going by the file name, let's assume that these are plots for a shape.

At first I thought I was going to have to dig out the little Python programming knowledge I have to covert this CSV file into something I could make sense of, until after a lot of looking around online, I came across this handy little app 3D Scatterplot with csv upload - Sounds like just the thing we need.

Uploading the CSV file to this app, we are instantly presented with a 3d model of a shape. Name the shape, move onto the next challenge!

This is where I got stuck. What was this shape called? At first, I thought it was a cylinder. Going to cylinder.html, and I'm given this message: "Is this the first 3D shape that came to your mind? Stop guessing." Oh! a little insulting. I thought that was a well-educated observation rather than a guess! So what was this shape called? I tried a number of variations of hollow cylinder & tube and realised that I was barking up the wrong tree here. After having a break for a few mins, I came back and realised it looked like a barrel. Still no luck. I slept on it, and came back at it in the morning with my brother saying it looked like "A long, scrumptious donut". Could it be? Yep. Going to donut.html completes this challenge, and takes us onto the next.

Challenge 10 - @

The hint we are given here is @curiosity314. Simple as can be. We go to that Twitter account twitter.com/curiosity314 to find a single tweet saying fever.html. Going to that URL compeltes this challenge, and takes us onto the next.

Challenge 11 - Git

The hint we are given on this challenge is a command to clone a github repository: git clone https://github.com/sharkdp/level11.git. Running that command, we are able to take a look within this repository to see what we can find. At first looks, we are given a README.md file containing the hint There is nothing here ... (?). I think it's safe to assume this is a lie ;)

I'm still quite new when it comes to git, and although I understand enough of the basics to get by, for my important work I used an app called GitKraken. Opening up this git repository using GitKaren shows me a huge amount (847) of commits, each one with a random commit message... Each one appears to be blank, having updated no file.

Like I previously mentioned, I'm still quite a noob when it comes to git, so I try out a few ideas that are just too obviously wrong. 847.html, ibwp.html (The commit message of the first commit after the initial one), and so on. I realised I was getting nowhere. There must be something I'm missing here - like the answer.

I remembered reading a few days ago about a command you could run to search though the logs for a given string. The first message was "There is nothing here", so I searched for the word "there":

git log -S'There'

Ah, that was simple enough! We have 3 results found. The first, being the initial commit, with what was worded above. I think it's safe to assume that the second added some content, and the third removed it, restoring it back to it's original state.

git show 3932dae4c0af43fc97a12032a1686b1f7bf9dcf2

Running the above command shows us what changed within the README.md file on this commit, where the long string of characters is the revhash of the second commit.

commit 3932dae4c0af43fc97a12032a1686b1f7bf9dcf2
Author: sharkdp <davidpeter@web.de>
Date:   Sun Sep 18 16:31:37 2016 +0200


diff --git a/README.md b/README.md
index bf44127..8b083b2 100644
--- a/README.md
+++ b/README.md
@@ -1 +1 @@
-There is nothing here ... (?)

Oh, catctus.html you say? Going to that URL completes this challenge, and takes us onto the next.

Challenge 12 - No Tip Here

We are given the hint oe←←r→u←←es→→rc.

My first thgouhts were that this could be something like the konami cheat code. It turns out that it's actually much simpler than that. Just follow what it says right there in the hint.

oe (left left) r (right) u (left) (left) es (right)(right) rc or, "resource". Going to resource.html completes this challenge, and takes us onto the next.

Challenge 13 - ISO10646

Like with many of the past challenges, the first hint is what this challenge is caled. The second hint, we are given this maths problem: 2609 + 26C6 = ?.

So first, what is ISO 10646? We don't need to understand the ins and outs to complete this challenge. This small sentence from the Wikipedia page on ISO 10646 is more than enough: "ISO 10646 defines several character encoding forms for the Universal Coded Character Set". Okay, so I think it's safe to assume that these hex codes are encoded characters of some sort?

Going to the site unicode.scarfboy.com we can look up these codes, and doing so, we find out that the first translates into a symbol for the sun (☉), and the second, into a symbol for rain (⛆). So, we're now left with Sun + Rain = ? My guess, rainbow, which has the hex code of 1F308. Going to that URL completes this challenge, and takes us onto the next.

Challenge 14 - Debug

Apart from the logo, we are left with a blank page, meaning the only hint we have to go off from is the level name, debug. Opening up Google's Console in the Inspect tools, and we can a JS error:

Uncaught ReferenceError: x is not defined
    at debug.html:16
    at Array.map (<anonymous>)
    at debug.html:16

Going to line #16 we see the following short script: [ -1, -3, 14, 16, 1, 8, -54, 4, 16, 9, 8 ].map(function() { return String.fromCharCode(x) + ONE_HUNDRED; }).join("");. So by the looks of things, we have an array of numbers, and we are adding 100 to each, and then converting each number into it's character value. Let's rewrite this so that it works: [ -1, -3, 14, 16, 1, 8, -54, 4, 16, 9, 8 ].map(function(x) { return String.fromCharCode(x + 100) }).join("");. Running this in Google's Inspector console gives us the output cartel.html. Going to that URL completes this challenge, and takes us onto the next.

Challenge 16 - Compass

We are given the following hint -118.321627 34.134054.

With the name of this challenge, and the hint we are given, it's fairly safe to assume that we are given a latitude and longatitude plot... almost. Taking a quick look at gps-coordinates.org), it tells us that the Latitude (the first number) should be between -90° and +90°.

Swapping these two numbers around, and looking up where they are pin pointing on a world map, we are given a point at the Hollywood sign. Going to the URL hollywood.html completes this challenge, and takes us to the end!

I rather enjoyed this set of challenges. If anyone knows of similar sites like this, please do let me know in the comments section below. As the end page of this series of challenges say, we should watch their GitHub project to receive updates on any new challenges that will be released. You can visit their GitHub project at github.org/sharkdp/curiosity