> For the complete documentation index, see [llms.txt](https://centinels.gitbook.io/home/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://centinels.gitbook.io/home/writeups/imaginaryctf/forensics-cartesian-1-3.md). # forensics/cartesian-\[1-3] ### Writeup by Aryan A three-part OSINT challenge! We have to track down a person called Terrence Descartes. ### Cartesian 1 The first and simplest of the three. We are given the guarantee that Terry's social accounts are relatively new and nothing pertaining to him has existed before July 17, 2024. Intuitively, we start looking on social media. We find his [Instagram](https://www.instagram.com/descartes.terry2001/) relatively quickly, which has some stories and posts. Going through the stories, we find our first flag! `ictf{i_love_revealing_info_on_the_internet}` ### Cartesian 2 (first blood) The second -- and for us, hardest -- of the three. All we're told is that we should look into Terry's trip last summer, and there may be more to him than it seems. We went down quite a few rabbit holes involving his Instagram account, but couldn't find anything. Everything in the **travel**😎😎😎 stories was irrelevant. Some of our team members quickly found Terry's [LinkedIn](https://www.linkedin.com/in/terrence-descartes-54642831a/), which didn't appear to have much useful info. We also found a Reddit account which we assumed may have been relevant, but there was nothing on it (later on, we received confirmation it was out of scope). A few minutes later, another teammate found his [GitHub](https://github.com/descartes1337/), which had a repository on it. Getting someone's email from their GitHub is trivial, just open a commit and add `.patch` to the end of the URL. We successfully retrieve Terrence's email with [this](https://github.com/descartes1337/birthday-card/commit/e6f565a35fd10136647336780731a4d19aabfac7.patch)! Turns out his email is just `terrencedescartes@gmail.com`. At this point, we were annoyed that we hadn't guessed the email address earlier (although soon enough we would be doing our fair share of guessing). Finding his email allowed us to perform a lookup through [Epieos](https://epieos.com/?q=terrencedescartes%40gmail.com\&t=email), which gives us links to his Google Calendar and Google Maps. There were no reviews on the Google Maps *(for the time being)*, so we examine his [calendar](https://calendar.google.com/calendar/u/0/embed?src=terrencedescartes@gmail.com). Going back to summer 2023, we see an entry titled **SUMMER TRIP!!!**. Clicking on it gives us the second part of the flag, but not the first.

Part two of the flag

We were happy to find part two of the flag, but quickly got stumped on trying to find part one. We moved to Cartesian 3 for a while and found everything necessary besides the city Terrence visited last summer for vacation (go figure, that's what we need for Cartesian 2 as well...). It was 8PM EST, and no teams had solved either challenge yet, so we had the suspicion something was broken. My intuition was telling me there was a Google Maps review that was necessary, but the review wasn't showing up anymore. Another CTF I'd done before had a similar issue, where they put a flag on a Google Maps review and the review got removed. I'm not sure why the reviews get removed, but if it happened once, surely it can happen twice. Such a review could give us both pieces of information: part 1 of the flag and the location Terrence visited last summer. One of my teammates had a ticket open, and he told the admins about the potential Google review being broken at 8:09 PM EST.

Timestamp is in 24-hour PDT (taken from the transcript)

We weren't sure what to do at this point, so I just tried guessing flags. After one or two attempts, I tried submitting `ictf{wh3n_th3y_s4y_publ1c` as part 1 -- after all, it makes sense, right? When they say public, they mean public.

Quite the lucky guess

A few minutes later at 8:24 PM EST, the admins patched the review, which decimated the solve count.

Terrence posted part one of the flag in a screenshot on his latest LinkedIn post.

`ictf{wh3n_th3y_s4y_publ1c_th3y_m3an_publ1c_9f1b2314}` ### Cartesian 3 (first blood) With the wild goose chase we were on for Cartesian 2, this challenge was a breeze, so I'll quickly list all the information and how we found it. * email: [Terrence's GitHub, append .patch to the end of any commit.](https://github.com/descartes1337/birthday-card/commit/e6f565a35fd10136647336780731a4d19aabfac7.patch) **** * date of birth: Terrence's [Instagram](https://www.instagram.com/descartes.terry2001/) username has 2001 in it, so we have the year. He posted about his half-birthday on July 19th, and 182 days before July 19 is January 18th, so the DOB is **2001-01-18**. * name of favorite pet: Terrence's Instagram also has a picture of his dog. The description says "ilysm bonnie", so the pet's name is **Bonnie**. * childhood city: Possibly the hardest one, but we use the fact that his GitHub says *1114 miles from Seattle* and his [calendar](https://calendar.google.com/calendar/u/0/embed?src=terrencedescartes@gmail.com) has an event in late January for an NYC trip which reveals he is *2139 miles from NYC*. There was actually a third point revealed which I forgot, but we only need two measurements to narrow down the location to two possible points: guess and check helps us find it is **Phoenix**

this tool was helpful: https://www.calcmaps.com/map-radius/

* name of favorite poet: again, we use his Instagram. his bio says *nothing gold can stay*, a poem by Robert Frost; he also only follows accounts related to Robert Frost. Thus, the poet is **Robert Frost** * make and model of first car: once again, it's on his Instagram (his latest post); it's a **Honda Civic** * father's birth year: the GitHub we found earlier only has one repository, a birthday card to his father. the second commit reveals that his father is 43 years old, so we get 2024 - 43 = **1981** * mother's maiden name: Terrence's first [LinkedIn](https://www.linkedin.com/in/terrence-descartes-54642831a/) post is dedicated to his mother. We find her maiden name is **Jackson** * work company: Terrence's LinkedIn shows his current company to be **Cohort Calculations** * last summer's vacation city: Terrence's most recent LinkedIn post has screenshots of a Google Maps review about the Como Park Zoo, which is in **Saint Paul** * task on August 21: On [Terrence's Google Calendar](https://calendar.google.com/calendar/u/0/embed?src=terrencedescartes@gmail.com), he has an event for August 21st, which says to **Drop off top secret information** * first job boss: Terrence's LinkedIn reveals that his first job was farming geese under **Farmer Johnson** Because that was a lot of info, I've attached the relevant links here again.\ Here are Terrence's [Instagram](https://www.instagram.com/descartes.terry2001/), [LinkedIn](https://www.linkedin.com/in/terrence-descartes-54642831a/), [GitHub](https://github.com/descartes1337/), [Google Calendar](https://calendar.google.com/calendar/u/0/embed?src=terrencedescartes@gmail.com), and [email](mailto:terrencedescartes@gmail.com).\ Entering all the info into the website gives us the flag. In the last writeup I mentioned that we would have been able to guess Cartesian 3 within a few minutes, even if the authors hadn't published the fix to the challenge. This was because we had figured out all necessary info besides where Terrence went on vacation last summer (that was the only broken part of the challenge). Seeing as how the city was most likely in the US, we had started guessing based on [the most populated cities in the country](https://en.wikipedia.org/wiki/List_of_United_States_cities_by_population). Saint Paul was ranked 67th, and we had gotten through the top 50 or so, meaning it was only a matter of time until we would have guessed this location as well. Nevertheless, we didn't get through guessing in time, and when Eth007 made the announcement, we ended up using the LinkedIn post to find the location and blood the challenge. `ictf{pls_stay_safe_out_there_e072db31b690cfdb}` Flags (again): Cartesian 1: `ictf{i_love_revealing_info_on_the_internet}`\ Cartesian 2: `ictf{wh3n_th3y_s4y_publ1c_th3y_m3an_publ1c_9f1b2314}`\ Cartesian 3: `ictf{pls_stay_safe_out_there_e072db31b690cfdb}` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://centinels.gitbook.io/home/writeups/imaginaryctf/forensics-cartesian-1-3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.