In the game "HALF-LIFE 2" there exists an ongoing mystery that has never been solved.
The INTERLOPER Mystery.
This blog post might be lower quality than other stuff here. Usually I try to get some people to proofread my writing before publishing but interloper E is releasing later today and if I don't get this blog post published before that deadline, I will never be able to get myself to work on it, so I am forcing myself to release this as is. I'll try to do revisions after publishing
Why interloper is special
Interloper is a webseries started in 2022, which uses the nostalgia for old valve games in extremely creative ways to tell a story about ghosts in the machine, about how the source engine, built on the digital graveyard of dead, outdated technology, is made up of so much spaghetti code that it itself is literally haunted.
I've been playing source games since I was a kid. According to steam my most played game is tf2, clocking in at 600 hours, a playtime that might only be rivaled by minecraft. SFM was what introduced me to 3d animation, I've spent so much time noclipping around maps, playing with gmods physics tools and watching other people play and talk about it on youtube. Despite this I would not consider myself the biggest source engine enthusiast(especially not after talking with some people I"ve met through interloper), but I would consider myself fairly knowledgeable about it.
My first introduction to interloper was this short clip
oh wow, realistic moving NPC... so spooky! It's not like SFM has had mocap since before 2012!
but that's just the thing. This isn't just an SFM video. This is a demo file, you can download(alongside the accompanying map) and play on your own machine, in your own copy of the game. This should not be possible, this is not how demos work, and yet here it is.
Kulcs
After the demo(called cstrike) I've started passively following the series myself. I've enjoyed it but I was not a part of the community of people who were really involved, solving puzzles, finding hidden videos and combing through hundreds of demos that Anomidae(creator of the series) published. That was until a long awaited interloper D ended up being nothing more than a teaser for an ARG, which after a huge cliffhanger in interloper C left me hungry enough to join the discord and follow along.
The first step of the ARG was an odd hl2 map, which according to a later Q&A, was intended to take a few hours at most to solve.
During the 3 days the community was stuck on this section of the ARG everyone was throwing stuff at at a wall trying to see what sticks. Did we have to count cones? What's up with this orange box decal? Why is there a combine scanner called "Zippy"?
Seeing the thousands of people trying random things and knowing how ARGs usually go I didn't feel like I could contribute much so I mostly chatted in the discord, shut down ideas that were simply not technically possible and writing simple scripts to see if any candidate solutions could lead to a youtube video, that kind of thing. Through this I've met some really nice people who I still follow the series with, but ultimately my work didn't end up leading to anything.
Finally after 3 days of the discord server struggling thanks to some rather generous hints from Anomidae progress was made. The community managed to find a tf2 server.
cge7-193
The server called cge7-193 is where the meat of the ARG took place.
At first the server didn't look special in any way, running a game of ctf_2fort, but after breaking a normally static door the server would change to a new map: ask
a giant ouija board.
Players could enter passphrases by breaking the letters on the ground, and breaking the big door to submit.
The first few attempts lead to a map called noaccess with nothing to do but wait for an hourly server reset,
but after a few attempts people found a first keyphrase that did not lead to noaccess, instead loading another custom map, with an embedded lore-drop video.
The hunt was on.
This part of the ARG created such intense amounts of drama that a better writer than me should receap it all. Think about it: a massive group of people all wanting to try their own ideas and experiment, with only 8 players able to join and try one single thing every hour. THIS IS THE ONLY WAY IT COULD HAVE ENDED.
Despite how this might sound I actually really liked this format. Having to run propaganda campaigns to get people to try your pet theories is a really unique experience :D. The server itself was put together really well. Randomly triggered events, unexplainable details, and a certain... broken/moldy feel to the maps made the whole thing come together for an extremely atmospheric experience.
One of the bigger controversies happened when a new player managed to get into the server and promised to sabotage any attempts enter a password other than stal.
Eventually people agreed to do as asked and... a new map loaded?! Oddly the player refused to explain how they got the password, which made people suspicious,
Even stranger the player then asked to try another password, after being sent to noaccess they simply dropped another map file into the discord chat wthout explanation.
What the hell was going on?
Oh no: security hole!
When you connect to a source server and don't have some custom resources(maps, models, etc.) available locally the game is able to automatically download them for you. How does the server provide the map files? That's right: it goes in the http hole!
https://wavespray.dathost.net/fastdl/teamfortress2/679d9656b8573d37aa848d60/maps/ask.bsp
Because of this anyone could simply brute force map names with a disctionary search, and as luck would have it one of the maps had a name that was the same as the password used to access it.
Anomidae patched this issue by appending some random characters to the map names which prevented other maps from being brute forced, but looking at the download link for the map I had an idea:
You see when decompiling ask people noticed that when breaking letter the server was executing
server-side config files. So what if I just tried to download those files?
~ curl "https://wavespray.dathost.net/fastdl/teamfortress2/679d9656b8573d37aa848d60/cfg/a.cfg"
You may only download maps/materials/models/particles/resource/sound/public%
disappointing but not really surprising, I bet someone else would've tried this already.
...although
that error message is not a standard nginx 404 like you'd expect. It looks custom. I wonder if
~ curl --path-as-is "https://wavespray.dathost.net/fastdl/teamfortress2/679d9656b8573d37aa848d60/maps/../cfg/a.cfg"
stal_3
Holy shit!
I've emailed the hosting company about the issue, and got a response within 40 minutes confirming that they've fixed the issue.
And that's how I technically kinda sorta solved the arg days before anyone else had the chance.
Uh oh: command injection
This left me bored. I let Anomidae know about my findings and was asked not to share too much with people. For the sake of integrity while I did brag about exploiting, I couldn't really participate in the game.
Instead I started looking at some inconsequential details, trying to understand better how the server functioned.
Someone else had the idea of running sm_list to list sourcemod plugins, so out of boredom I started looking at what other plugins were running on the server.
What caught my eye was the simple chatterbot plugin. You see the server had a mysterious chatbot on it, that responded to some random phrases, like hi, I have a question and skibidi.
I suspected the bot was partially manually controlled and partially automated, so I started looking through the code to figure out it's exact capabilities.
One thing that immidately caught my attention was the bot's ability to run custom source console commands. Since it featured the ability to interpolate user names into the commands I immidately started wondering whether this meant I could break the bot, by putting special characters in my name. I wasn't going to download tf2 on airport wifi, so I couldn't test this directly, so instead I just looked through the code.
Immidately I found exactly what I was looking for:
ServerCommand("%s", m_gzWord);
Some attempts to understand the weird sourcemod scripting language and a quick google search for the method name confirmed what I already knew: if any of the commands used the players username, it would result in command injection.
The bot was able to use a player's steamid instead of username, which would avoid any command injections, but on the offchance it didn't I sent Anomidae a message with my findings.
A few hours later I got a response letting me know that at least a few of the bot's commands were in fact potentially vulnerable. Sick!
Bonus: how the password input worked
(important note: I don't have access to the config files, and I do not remember how exactly they were setup. This should give you a rough idea of the technique used but will probably not match the behavior of the actual server fully)
Thanks to the path traversal I was able to take a look at how the ask map worked. As mentioned before every letter had a config file(a.cfg, b.cfg, c.cfg, etc.) that was executed when the prop was broken and an extra config file for when the player broke the door. Source config files are very limited. They don't have variables, loops and aren't even turing complete. They are just a collection of console commands.
How did the input check your password then? Simple: by creating an elaborate state machine using the alias commands.
For example to load the map stal you'd break the following characters:
s.cfg
alias stal1 "alias stal2 alias stal3 alias stal4 alias stal5 map stal"
stal1
t.cfg
stal2
a.cfg
stal3
l.cfg
stal4
and then when players broke the door you'd simply execute answer.cfg
stal5
map noaccess
if stal5 doesn't get executed you get sent to noaccess. Really really cool stuff
I love this
It didn't have to be like this.
This server could've been hosted on VPS instead of some random hosting company with a broken fastdl.
You could've used a vscript for the chatbot
(in fact I wrote one for a shitpost during the ARG)
You could've made ask run using a vscript instead of cursed alias chains! (In fact I also did this).
I think that all of this jank is fitting. For a series so rooted in source engine nostalgia, using techniques from 2012 work much better than using fancy new tech. Having the jank fully on display made it feel more immersive and realistic.
If I had to guess Anomidae chose the methods he did because he is an old school source nerd, who uses old school source magic to make things work. He used the tools he knew how to use in radically creative ways to make a really cool experience. Frankly it's inspiring.