CuriositY - A quick walkthrough and how-to guide

I came across this game the other day when a person I follow on Github stared it. The name instantily sparked my curisoity. So what is curiositY? It's a web based level game made by a guy called David Peter where you complete the current challenge to move onto the next, sort of like the classic and wellknown HackThisSite. So, to begin, visit CurisoitY at shark.dish/curiosity. At the current time of writing this article, there are 15 different challenges, starting from easy and getting slightly more difficulte as the levels progress.

For those who wish to go though the challenges yourself, stop reading here! I'm going to walk you through each challenge as I completed it myself. I may not have the best sollutions for these challenges, so if there's a better method, please let me know. There's a spolier alert for anything below the line.


Challenge 1

After visitng the above link to curiositY, you're faced with a simpe page with what appears to be three obejcts, their logo which appears on each and every page, and two purple boxes at either end of the screen. Clicking either box will take you to a "there is nothing here page". The solution? Click the hidden box in the middle, this will take you to middle.html, where you can progress onto the next level.

Challenge 2 - Increment

The hint we're given: lvl++;

As with the last challenge, this one is fairly straight forward. The URL is formatted in the following way: /curiosity/level002/increment.html. Going to /curiosity/level003/increment.html takes us to the next challenge.

Challenge 3

The hint we're given: < />

Looks a lot like an opening and closing XML tag that HTML uses... maybe we should look at the source code of this page? <!-- applause.html --> Ah! Going to that page completes this challenge, and takes us onto the next.

Challenge 4 - JS

This time we are not given a hint like the previous few challenges. Although, we do notice that the page is called js.html. Working with the little we know, we open up Google's Inspector tool, and open the console. We see the following output: iso.html. Going to that page completes this challenge, and takes us onto the next.

Challenge 5 - Terminal

This one is a little intersting. We are presented with a terminal-like page. Let's run the ls command, and see what happens. The terminal quickly updates with a single directory named "curiosity". Entering this directory and running the ls command again gives us a list of files, and directories with the levels we have compelted so far. Over all, not very intersting, or useful. Maybe there's a hidden file? Running ls -la gives us the following output in the terminal screen: "This 'ls' command does not support any options.". Okay, so let's stop with this line of thought. We can have an educated guess that this terminal-like feeature is built form Javascript. Let's see if the source code will give us any hints.

Looking at the source code, and we see a link to a JS file called terminal.js. Taking a look at that file, and we see that it's an utter mess. Looks like it's been obfuscated. Visiting jsnice.org, posting the contents of the JS file into the left box, and clicking the "Nicify Javascipt" button cleans up this mess, and allows us to read the file in almost plain Javascript.

The first thing this deobfuscated file shows us is an array like so:

/** @type {Array} */ var _0xb6ae = ["/", "trim", "", "replace", "length", "This 'ls' command only supports a single argument", "error", "-", "This 'ls' command does not support any options.", ".", "[[;#ff0099;]curiosity]", "echo", "/curiosity", "curiosity.png [[;#ff0099;]level001] [[;#ff0099;]level003] [[;#ff0099;]level005]\n", "index.html [[;#ff0099;]level002] [[;#ff0099;]level004] main.css\n", "/curiosity/level005", "jquery-3.1.1.min.js quiff.html terminal.html\n", "jquery.terminal.min.js terminal.css terminal.js", "Access to '", "' denied.", "Wrong use of 'cd' command.", "curiosity", "level005", "curiosity/level005", "..", "So this is your only concern?\n", "Seeing if the 'echo' command works? :-)", "This is not MS-DOS.", "'curiosity' is a directory.", "shell", " > ", "terminal", "#shell"];

We've seen most of this output already whilst playing around with the ls command. However, there's a few file names we have not seen, and one in piticular sticks out to me: quiff.html. Going to that URL compeltes this challenge, and takes us onto the next.

Challenge 6 - Layer

Other than the file name layer.html, there's no obvious hint whislt first visitng this page. There's just a blank, non-clickabe, rounded box on the screen. Looking at the source code, and we can see this this image is an SVG image. My knowledge on SVG's is quite limited...

Opening up blob.svg in a text editor shows the rectangle we're seeing on screen, and a group of path objects that appear to be hidden. Removing the rect tag shows the message hidden beneath, behind.html. Going to that URL completes this challenge, and takes us onto the next.

Challenge 7 - Uber

We are given the sentence "Vita, universum, omnia.". Looks a little Latin to me. Doing a quick Google translate on this phase gives us: "Our life, the universe, all things." Well, even though I have never got around to watching Hitchhikers Guide to the Galaxy (I know...) I'm well aware that the answer to their the famous question is 42.

Going to 42.html completes this challenge, and takes us onto the next.

Challenge 8 - 42

We are given the following hint: =DEC2BIN(...). Let's assume that DEC stands for Decimal, and Bin stands for binary. This seems simple enough. 42(decimal) in binary is 101010. Going to 101010.html completes this challenge, and tkaes us onto the next.

Challenge 9 - CVS

This one had me stumped for a good hour, before I gave up and went bed. I wouldn't say it was hard, I was just... lost for words, almost.

So the hint we are given here is shape.cvs. Going to /shape.cvs, we are able to access and download the CVS file. A CVS file, those who are unaware, stands for Comma Seperated Values. Often meant for storing data in table structred format, and used in spreadsheet applications. Taking a look at this file shows a large amount of values, which appear to be plots of some sort? X, Y & Z? Going by the file name, let's assume that these are plots for a shape.

At first I thought I was going to have to dig out the little Python programming knolwedge I have to covert this csv file into something I could make sense of, until after a lot of looking around online, I came across this handly little app 3D Scatterplot with csv upload - Sounds like just the thing we need.

Uploading the csv file to this app, we are instantly presented with a 3d model of a shape. Name the shape, move onto the next challenge!

This is where I got stuck. What was this shape called? At first I thought it was a cylinder. Going to cylinder.html, and I'm given this message: "Is this the first 3D shape that came to your mind? Stop guessing." Oh! a little insulting. I thought that was a good educated obveration rather than a guess! So what was this shape called? I tried a number of variations of hollow cylider & tube, and realised that I was barking up the wrong tree here. After having a break for a few mins, I came back and realised it looked like a barrel. Still no luck. I slept on it, and came back at it in the morning with my brother saying it looked like "A long, scrumptious donut". Could it be? Yep. Going to donut.html completes this challenge, and takes us onto the next.

Challenge 10 - @

The hint we are given here is @curiosity314. Simple as can be. We go to that Twitter account twitter.com/curiosity314 to find a single tweet saying fever.html. Going to that URL compeltes this challenge, and takes us onto the next.

Challenge 11 - Git

The hint we are given on this challenge is a command to clone a github repository: git clone https://github.com/sharkdp/level11.git. Running that command, we are able to take a look within this repository to see what we can find. At first looks, we are given a README.md file containing the hint There is nothing here ... (?). I think it's safe to assume this is a lie ;)

I'm still quite new when it comes to git, amd althoguh I understand enough of the basics to get by, for my important work I used an app called GitKaren. Opening up this git repository using GitKaren shows me a huge amount (847) of commits, each one with a random comit message... Each one appears to be blank, having updated no file.

Like I previously mentioned, I'm still quite a noob when it comes to git, so I try out a few ideas that are just too obviously wrong. 847.html, ibwp.html (The commit message of the first comit ater the initial one), and so on. I realised I was getting nowhere. There must be something I'm missing here - like the answer.

I remembered reading a few days ago about a command you could run to search though the logs for a given string. The first message was "There is nothing here", so I searched for the word "there":

git log -S'There'

Ah, that was simple enough! We have 3 results found. The first, being the initial commit, with what was worded above. I think it's safe to assume that the second added some content, and the third removed it, restoring it back to it's original state.

git show 3932dae4c0af43fc97a12032a1686b1f7bf9dcf2

Running the above command shows us what changed within the README.md file on this commit, where the long string of characters is the revhash of the second commit.

commit 3932dae4c0af43fc97a12032a1686b1f7bf9dcf2
Author: sharkdp <davidpeter@web.de>
Date:   Sun Sep 18 16:31:37 2016 +0200

    uokp

diff --git a/README.md b/README.md
index bf44127..8b083b2 100644
--- a/README.md
+++ b/README.md
@@ -1 +1 @@
-There is nothing here ... (?)
+cactus.html

Oh, catctus.html you say? Going to that URL completes this challenge, and takes us onto the next.

Challenge 12 - No Tip Here

We are given the hint oe←←r→u←←es→→rc.

My first thgouhts were that this could be something like the konami cheat code. It turns out that it's actually much simpler than that. Just follow what it says right there in the hint.

oe (left left) r (right) u (left) (left) es (right)(right) rc or, "resource". Going to resource.html completes this challenge, and takes us onto the next.

Challenge 13 - ISO10646

Like with many of the past challenges, the first hint is what this challenge is caled. The second hint, we are given this maths problem: 2609 + 26C6 = ?.

So first, what is ISO 10646? We don't need to understand the ins and outs to complete this challenge. This small sentence from the Wikipedia page on ISO 10646 is more than enough: "ISO 10646 defines several character encoding forms for the Universal Coded Character Set". Okay, so I think it's safe to assume that these hex codes are encoded characters of some sort?

Going to the site unicode.scarfboy.com we can look up these codes, and doing so, we find out that the first translates into a symbol for the sun (☉), and the second, into a symbol for rain (⛆). So, we're now left with Sun + Rain = ? My guess, rainbow, which has the hex code of 1F308. Going to that URL completes this challenge, and takes us onto the next.

Challenge 14 - Debug

Apart from the logo, we are left with a blank page, meaning the only hint we have to go off from is the level name, debug. Opening up Googke's Console in the Inspect tools, and we can a JS error:

Uncaught ReferenceError: x is not defined
    at debug.html:16
    at Array.map (<anonymous>)
    at debug.html:16

Going to line #16 we see the following short script: [ -1, -3, 14, 16, 1, 8, -54, 4, 16, 9, 8 ].map(function() { return String.fromCharCode(x) + ONE_HUNDRED; }).join("");. So by the looks of things, we have an array of numbers, and we are adding 100 to each, and then converting each number into it's character value. Let's rewrite this so that it works: [ -1, -3, 14, 16, 1, 8, -54, 4, 16, 9, 8 ].map(function(x) { return String.fromCharCode(x + 100) }).join("");. Running this in Google's Inspector console gives us the output cartel.html. Going to that URL completes this challenge, and takes us onto the next.

Challenge 16 - Compass

We are given the following hint -118.321627 34.134054.

With the name of this challenge, and the hint we are given, it's fairly safe to assume that we are given a latitude and longatitude plot... almost. Taking a quick look at gps-coordinates.org), it tells us that the Latitude (the first number) should be between -90° and +90°.

Swapping these two numbers around, and looking up where they are pin pointing on a world map, we are given a point at the Hollywood sign. Going to the url hollywood.html completes this challenge, and takes us to the end!


I rather enjoyed this set of challenges. If anyone knows of simialr sites like this, please do let me know in the comments section below. As the end page of this series of challenges say, we should watch their GitHub project to recieve updates on any new challenges that will be released. You can visit their GitHub project at github.org/sharkdp/curiosity

Posted on: 16 Feb 2018 Last Updated: 16 Feb 2018