I’ve written this up while rushing and buzzing, so I will clean it up in a little bit lol 
We received a new security log (091216) entailing:
As well as a new page with a password field:
The password page dropped ever so slightly before the security log, where there was a few moments of head-scratching.
It occurred to @Gumsk and myself almost immediately that there was a callout to IWTS_operator, which is what I have as a RP title for my trackers Discord messages, and on my Discord profile.
It immediately occurred to me it was in reference to the fanart Operator ID I’m working on and had shared in the Discord - but had also sent to system after the security breach callout email that was sent to me - as an attempt to verify authorisation and deescalate the security system for myself and the operator team:
So, I tried vector_cmdr as the password, and it loaded.
Presenting “what was on port 0x17”, an emulated terminal:
I went straight to the page source and to the js.
At the top of the <script> block, four base64 strings were hidden in the _0x array:
const _0x = [
"b2tkYid8ZnRhd1l1bWpsamtjZHxgbGorb2lhfQ==",
"d2Fodmh6aG9bd2NhbXtmamZjJzk+OzQ1MzMxMTM=",
"ZWVpamVpamhbd2lyfGwjZWZybn5od2E=",
"UH12cmJlKXBhYHUnXGZ0YXc="
];
Decoding the base64 and reading the script showed that the strings were XORed (i % 7 + 3)
So, XOR each byte with a positional key that cycles through [3, 4, 5, 6, 7, 8, 9]:
position i |
i % 7 |
XOR key |
|---|---|---|
| 0 | 0 | 3 |
| 1 | 1 | 4 |
| 2 | 2 | 5 |
| 3 | 3 | 6 |
| 4 | 4 | 7 |
| 5 | 5 | 8 |
| 6 | 6 | 9 |
| 7 | 0 | 3 |
| 8 | 1 | 4 |
| … | … | … |
The values decode to:
| Index | Raw base64 | Decoded (XOR’d) |
|---|---|---|
| 0 | b2tkYid8ZnRhd1l1bWpsamtjZHxgbGorb2lhfQ== |
load tower_reconnection.init |
| 1 | d2Fodmh6aG9bd2NhbXtmamZjJzk+OzQ1MzMxMTM= |
temporal_reference 1780054980 |
| 2 | ZWVpamVpamhbd2lyfGwjZWZybn5od2E= |
fallback_route activate |
| 3 | UH12cmJlKXBhYHUnXGZ0YXc= |
System sees Tower |
Looking at the terminal, it made it clear the order of commands was important, so I followed the rule.
load tower_reconnection.inittemporal_reference 1780054980(sec-log-152931)fallback_route activate
After all three commands are entered, the terminal reveals that the value from index 3 is the confirmation code requested.
There were then some other optional commands in the page:
help- command list (load,temporal_reference,fallback_route,status,clear)status- showsTOWER STATUS: ONLINEorOFFLINEclear- clears the terminalconfirm reconnection- accepts the confirmation code, displays “Access granted to Project Skyscraper”, then opens the homepage in a new tab
Doing all of this in sequence like below reestablished the connection:
I also sent a response email to system with the screenshot and additional reference to the code word I requested in the first apology email for the security breach:
The result was the following new seclog:
It all went down in the Discord and the page super fast, so I thought I would catalog it here to explain what happened in that window of time for this one.
I just posted the other page(will delete now) thinking he caught us sleeping. Great job 
The PM has detailed profiles on all of us 
