These Open World missions are both hard and fun, especially when you have found the answers by yourself at a realistic website. I myself have suffered from some difficulties while playing through them, and have viewed lots of discussions for help (it really is a good habit that all people only give hints instead of answers), then I still need a lot of unnecessary time to complete the missions (maybe because I'm an ESL). Thus, to avoid wasting much more time for players similar to me, I decide to write this guide to help the players who stuck at these wonderful puzzles.

On the whole, the hints I'm giving are pointing to some answers rather directly (while I am still trying not to give direct answers), so DO NOT LOOK AT THIS GUIDE TOO MUCH IF YOU JUST NEED A "LITTLE BIT" HINT AND STILL WANT TO SOLVE THE MYSTERY MOSTLY BY YOURSELF! In such case, my suggestion is open the spoiler block carefully, look word by word and stop immediately when you have found the thing you want. XD

Therefore, I guess this guide is most suitable for players who have spent lots and lots of time in a step but still haven't found the answer and thus being totally desperate... Anyway, I wish everyone who has spent his/her precious time reading my guide to finish the missions eventually with a strong sense of achievement!

Important notice: I suggest you to restart the game if you have completed one OW mission and want to play another OW. Because if both missions use XKeyscore, the entities will be mixing together and you will easily be confused (I hope the game fix this as well).

Open the archive and you will see a phone's MAC address and vendor info. Use this to get in Zhan Ru's phone.

Check his memo for all the places he has been to recently, then look at his email, he has rent vehicles and ships from various companies.

The Briefing has requested you to find out the street name in North Korea for meth, so make sure you do this. Then, in Ru's note, you will find out he has transported the meth in a city via a rental company.

Get in this company's website, and remember the mission overview says "ASSASSIN rootkit is required"? Assassin rootkit is used on vulnerable PATHS inside a website (AfterMidnight is used on vulnerable ports on a subdomain), so make sure you do a DIG!

You will find more XKey entities, then search the record between Ru and his contact in the rental company, and then you will find something which contains the destination of the meth.


The hotel's website is secure in StingerOS, so you need to go to the website realistically (the website seems to be updated already, you should be able to access now).

On the real website, you can find a new domain name in one of the sessions (check EVERTHING until you find a new domain!). Dig this domain in StingerOS and hack inside.

In the AD, you can see a list of provinces, and you can find some names in the province we are working at. Since assassin rootkit is still needed, do the same thing as you did in part 1.

Two more names should be added in XKey. Do the search and you'll find a receipt, which includes a ferry ticket from XXXXXX to "XXX" - google it and it will be easy to find out that it's XXXXXXX, South Korea.

Then we just need to find the vessel's name - you can search "XXXXXX to XXXXXXX ferry" on google and give it a try - well the name is not that easy to find.

If you answered "XXXX Ferry" and it turned out to be wrong, it is because this is the name of the ferry company (대인훼리 大仁轮渡), instead of the ferry itself.

I'll give you two hints about this, either will guide us to the correct answer:

1. When you search "XXXXXX to XXXXXXX ferry", a website called 4corners7seas actually has the ferry's name in the article.
2. If you have found "XXXX Ferry", you can go to its OFFICIAL website, which only supports Korean and Chinese. But the ferry's name is actually in English, so try your best finding it! You might need to translate the website.


Hack into dainferry.kr and access the AD. Now we need to find the info of CCTV, so do a password attack on the security path using the username of the correct person. Or, you can get a hash by "listening" to this website since it is "remote". Then you'll see the crossing report on March, which shows a Korean license plate, take a note of this.

Next, since this is related to CCTV, we should manage to see the CCTV footage - so we need to do some "listening". Then you'll find a new domain in one of the footages. Hack it, in the AD find the license plate you just noted, then XKey will have a new entity. Do the search, and you'll find an email between Ru and the receiver.

Now we know that they want to deal with the meth in "courtyard of the large cross near Noah's ark". Then, we search "incheon noah's ark" on google, and paste the name of this village into google map, and you will find a building related to "large cross" nearby. Go to its website and translate it to English, the building's name - XXXXXXX XXXXXXXXXXXX XXXXXX - will be the answer.

Get in the network and access the AD. Find the Head of Client Relations, crack his password, then access the client database. Find the top energy consuming company in Iceland which is NOT related to cryptocurrency but comsumes energy as high as crypto mining companies.

Access its website, in AD, find the employee whose employment date is the earliest - this employee's name will be the answer.


Download the image and use a Hex editor to open it (the last page of briefing file has given several methods of viewing an image's hex data). You can also search this picture on images.google.com, the result is: ab. 1879 George Dunlop Leslie - Alice in Wonderland. After opening the picture in Hex editor, you can notice that the last segment of the file is:

It's strongly recommended that you do this part on your own, open this ONLY when you really don't know how to do it, or you cannot access or use the relative software! EvidenceParty.TartsStory.Tears.PepperTale

These words and the name of the painting all lead us to "that" book. Also, based on the format of the final answer of this part - ___.___.___.___, it seems to be an IP address.

What's more, the last segment of the file is also in the form of xx.xx.xx.xx! Now we just need to change evidence party etc. to numbers...

↓This is the final hint. DO NOT open it unless you are REALLY, REALLY stuck:
Look at the chapter titles in that book. You will find some familiar words!


Access the images and Conway's instruction.According to Conway, the folder holding the images is called "4669766520456c656d656e7473", if we separate every two characters and change them from hex to ascii, we would get "Five Elements". Also, using Hex editor to open the images, in the end we will find "Earth", "Metal", "Fire", "Water", "It begins with Wood".

These are actually from the Chinese five element theory "wuxing" (五行). Since it begins with wood and Conway mentions the word "overcoming", then we know the order of the images will be wood-earth-water-fire-metal, i.e. 658-654-655-657-656.

Then let's figure out the password in each picture. The words are more like riddles, which i am not good at since I'm an ESL. From the community, I know that the bars at bottom-left corners are the length of words, and searching the keywords in each riddle will probably give us the answer.

Wood: I searched "dynamite cave seed grow", then the first result is "Man’s body found after tree grows from seed in his stomach", and from the article we know it is a XXX tree.

Earth: "the end of fukushima" leads to Japan and the "giant beast" is a XXXXXXX called Ootamazu (大鯰) suppressed by the "sword god" Takemikazuchi (建御雷).

Water: Jules Verne 001 is a satellite and it deposited debris at South Pacific Ocean. "The Great Old One" represents Cthulhu, who is imprisoned at R'lyeh. From R'lyeh's wikipedia, we can find out that it is close to the Pacific pole of inaccessibility, or XXXX point.

Fire: "fire" and "17927" lead to the Centralia mine fire, which, according to wikipedia, is a xxxx-seam fire. So the fire was fuelled by XXXX.

Metal: search "begets itself, conceives itself, and gives birth to itself" will probably direct you into the wikipedia of XXXXX xxxxxxx.

Send the password to Conway and her reply mentioned a link. Hack inside.

Find the transaction on the designated date on the Briefing file, and go to the link at the last page of the Briefing file, you will find the exact same public wallet id there. The name will be the final answer.

Grab the agendas and find the one happening in North America and in June. We need to find the domain of the hosting company.

Then what is the name of the hosting company? Just imagine you are the CEO of the hosting company, and think where your company should be appearing in the agenda. Search this company and its website will be found, and this is the domain we are dealing with in StingerOS.

Get in and don't forget to use the assassin rootkit as is mentioned in mission overview (which means one path in the website is vulnerable - if you have played March 2019 you should be familiar with this). Use foxacid, and you will get some XKey entities (and don't forget to grab the entity from the mission overview).

According to briefing, you need to focus on techs, event managers and catering staff. You will find three emails, but only one is useful, since finally you need to input the "name of a device most likely to be connected to the computer of a FS-ISAC representative".

It should be about the rented A/V equipment, since it is mentioned in the email with event managers. Now let's search the A/V equipments on vantagevenues.com realistically.

Now you should be in a page introducing A/V rentals, scroll down for a list of all "popular AV items used regularly". From mission overview we know the answer is in the form of XXXXXXX-XXXXXXX-XXX, so find the device whose name is in this format! This might take you some time but, believe me, when you find the name and complete this part correctly, you will have an extreme sense of accomplishment!


Sheltered Harbor's website doesn't have any weaknesses. We just need to follow the order of the briefing file: search the company in the website mentioned at the last page's OSINT, and email the office address found to Dispatch. In the reply, Dispatch has mentioned a new archive call number.

Take a look at this transcript and you will find a new website. This one is also secure, as is mentioned in the briefing, so we need to do a social engineering attack. Visit the TBW archive to find the info needed, and then do the attack.

I've got to admit that this one is hard, since there're only two people opening the email, we need to perfect all the tools, subject and alias according to the TBW archive mentioned above.

Hint aboutthe email subject and alias:

Subject: the archive has mentioned a special "code" for describing a highly important and sensitive information. You will need to do some search for the internal operating rules of Sheltered Harbor. Final hint: Sheltered Harbor Operating Rules should be reviewed when joining Sheltered Harbor.

Alias: the archive has mentioned that the alias will be the name of the bank that links the most tightly with the CEO of Sheltered Harbor. Who is the CEO? In Sheltered Harbor's website, there is a video called "Hear from our CEO", and he will talk about his name. However, in order to spell his name, you might need to do some extra search like "Sheltered Harbor CEO", and find the name you heard in that video. Afterwards, you can search "Sheltered Harbor {CEO's name} bank", then you will probably get the bank name.

With everything being correct, the efficiency should be 73% - if the number is lower than that, the attack will fail! Launch the attack, and luckily the second person will open the infected file. Then - be quick! The link will be disconnected in 5 minutes, after which you'll need to do the SET attack again!

This one's AD is also vulnerable, assassin it to get more XKey entities. Do the search, and you will find a link of a PDF file and a password hint. Visit the link realistically and you are required to enter the password.

The password hint is "our braves in 1XXX". Search the phrase and you will find out that this relates to an American baseball team XXXXXXX XXXXXX. Then we just need to know what this team was called in the year of 1XXX. Hint: the password contains only one word and the first letter is UPPERCASE.

Read the pdf file and we know that a sender ID is sending the file to vault 04, and the file format of the customer data is citi.064xxxxxxxxxx.vaultdata.zip. Now go back to the 5-minite-website you accessed via SET, and LISTEN to the communication between the sender IP and vault 04. Use packet sniffer, and there will be a lot of files starting with 044, 087, 022, 020...

The one we want is 064, so find the only 064-starting file and use the file format above - this will be the final answer!


The blackened parts are all consisting of "nice try", so don't try to directly copy the domain name from the email address. The correct way of searching should be: this hidden service should contain seven letters (compare the position of "Consulting" in the row of Gordon and Huachuca). To find the name, it's better to search all these consulting services' names together, and then there should be a website, in which you can find the name of the final non-existing consulting service with seven letters, and now you know what its domain name is.

Find the vulnerable subdomain. Hint: it's "elsewhere" in the result of sfuzzer, if you think all the subdomains are secure. Get inside, and in the AD you can find this tnaylor guy's IP address. Do the listening, and you will get a hash, crack the password and enter the meeting documents.

You will find several files talking about a time, this means that we need to check the wifi. Handshake with all the mac addresses and find the time we care about - hint: we of course care about tnaylor, so focus on the activities in which he is the facilitator.

Now we should have access to Travis Naylor's phone. Look around, it should be easy for you to find the requested test login credentials. Send them to Dispatch (format will be "{username}{space}{password}"), get the confirmation code and it's all done!

Take a look at the archive and we need to find his presence in another social media. Try some by yourself and there is an account named LordSwatobog on XXXXXXX. In this page, you will see the cover picture contains a license plate - this means that we will need to find a coordinate.

LordSwatobog's twitter also has a website, which is about a fighting club called golden glory. You will find its address somewhere, and then you just need google map to read the coordinates of this place. Input the coordinates (the number of digits doesn't seem to matter) to satellite feed.

Then input the license plate - the "RUS" doesn't count, and the "y" and "p" in Russian are not the y and p in English - so you need to change them to English letters (use wikipedia etc. to help). Now you should be able to track him, after hacking the smart billboard of course.

Okay now you're in his phone, and you know his name is Dmitry Fyodorov. It should be easy to find the email about the leakage, and just type in the name at the bottom.


In the beginning we need to do some analysis on the two archive files. According to Wheeler's update, the headlines on Global News are actually trying to send information.

Hack in the three websites mentioned and assassinate vulnerable ADs, and then XKey the entities. You will find two emails mentioning two names.

But they are not useful actually... It took me long to figure out. (Some say they're making this decoy because part 1 went too smooth...) Then what is the actual useful part?

Just find the title which describes this WH attack (you might not be 100% sure, but you should be 80% sure), and then search the name of that author (not the ones you found in XKey).


Look at the archive files and find the domain of Energo-Stroy. Hack inside, and then you need to do a password attack. The username is given somewhere.

Then it should be easy to know where the MU7 satellite base locates. Send the address to Dispatch, and in the reply they will tell you they cannot find a way to deploy the surveillance.

The reply email talks about researching the "Ramenki District surrounding the Stromnaya Facility", so we can google "Stromnaya Facility", and we will find the wikipedia page of XXXXX X.

Somewhere, it talks about a hidden underground city, which is connected with other underground faciliies - our satellite base! Then we just need the address of this underground city - XXXXXXX-XX, which is directly in the article and should be found easily. Reply this to Dispatch, and they will reply you another email.

Now we got a string of hex characters, and experienced players will probably know what to do next.

Yes, it is a URL, and you will find two pictures. Okay, now it's time for the steganography! The instruction is:

1. Open Photoshop and put two pictures as two layers in one file, the black-white pic on the top.
2. Change the layer properties to "Difference", from "Normal".
Now the picture should be clear and you should see something! If you are stuck here, I have prepared the properly processed pic, but only open it when you are REALLY stuck!

Again, only open this if you are REALLY stuck!



Okay, we've got it, then let'shack this domain in StingerOS! After getting in, netscan shows nothing, so it's listening time! Now it should be really easy for you to discover who is talking to the hacker group! Submit the username and the mission is all done!

The hacker's domain is of course invincible, so we have to play the game with him. From the info by the hacker in the second picture from the archive, we need to send him a specific email - which actually belongs to a social engineering attack with manually input email address.

From the archive, we know that the Subject must be a designated phrase, and the file format is the answer of that mini riddle - but you can also trying all the formats and find the one with the highest efficiency - well, I'll still recommend looking at the mini riddle.

Then for the alias: the word bubonic will lead us to plague, then "the death of many under him name" means that the alias we use should be the "thing" that make people suffered with plague.

Final hint:the plague disease is caused by a bacterium.

My efficiency of SET is 81%, which is probably buffed by the goliath-7 upgrade. Once you are inside, you should know what to do - there is another puzzle.

This puzzle is pretty easy for me since I'm from China (I've got to admit this game's OW missions contain a lot of info about China and Chinese culture, especially that "rivercrab"... and this one). You should find a character 鼠, which means rat in Chinese, and rat is also one of the zodiac animals in China. 1996, 2008, ... are years of rat. Then you should be able to find out the MAC address if you are familiar with Spring Festival.

Need more hint? The MAC address actually begins with the first day of "year of the rat", and ends with the last day of "year of the rat", in the year which is hinted from the series of numbers.

Still cannot find the correct MAC address? Did you just input the date of 2021 Spring Festival? If so, you are tricked because that day is actually the first day of "the year of the ox".

As for the vendor, you might have already heard about it since it is pretty famous in these years. If not, search everything in google and you should be able to find it.

Final hint: XXXXXX

Now that you are in his phone, you will find the final step. Search these words, and you will find a famous book. The name of the book will be the answer (one word).


This time you are directly given a URL. Get in, netscan shows that the info is related to the chemistry elements (wow I guess this OW mission is perfectly suitable for a Chinese chemistry student like me XD).

The result of netscan shows that we need to access that path, but a password is needed, and you cannot John-the-Ripper it since there is a hint.

Well I think this part should be explained more clearly: the password is in the form of {elementname}_{its atomic number}. For example, if the element is O, then the password should be oxygen_8; if the element is Fe, it should be iron_26.

If you are sad because caesium_55 is not the password: that C$ is not the password hint. For the real hint, you need to do some listening.

If you don't know what the username is: what is the username if you are in a directory called "/user/gfcjyb/documents"?

Okay, next. Dig the wifi and the time is really clear, for the day you will need to do some image searches.

Get inside the phone, and you are requested to mix a solution. The first two items will hint you one element each, but the third one is a little bit tricky.

When searching this special eye drop, you might find a lot of ingredients. Which is the one we want? The clue is actually in the "beautiful lady".

Final hint: It is related to the translation of "beautiful lady" to a foreign language.

Search the three things (they are actually similar in some point of view) and it should be very easy for you to get the answer.


Translate the poem to English and try to search what it is talking about. The answer is clearly a day and a time used to find a phone by air crack, but just try not to brute force find it.

Still cannot find this place? Well just search some keywords mentioned in the poem after the translation, and the language the poem uses originally is also a clue.

Final hint: it's not that mysterious, and you might even have heard about it - a famous place of tourism.

Next step is to get in the phone and read the notes. From the to-do list, by doing some searching you should probably know what this place is, and then use the necessary info to do the listening. Again, try not to brute force.

Then from the package sniffer you should find what it is talking about and who "he" is. Next, what to do? If you have asked this question, this is because you forgot to do an important thing as a NT4 hacker.

Final hint:7366757a7a6572

Then I think you will know what to do for the rest!