Centinels
  • Centinels
  • Writeups
    • n00bzCTF
      • forensics/wave
      • osint/the-gang-[1-4]
      • programming/sillygoose
      • programming/numbers-2
      • programming/back-from-brazil
      • crypto/random
      • misc/addition
      • misc/subtraction
      • blockchain/evm-conditions
    • ImaginaryCTF
      • forensics/playful-puppy
      • forensics/cartesian-[1-3]
    • VSCTF
      • algo/baby-game
      • algo/quickmaffs-permutation-puzzle
      • algo/baby-game-revisited
      • crypto/dream
      • crypto/dream-revenge
      • rev/awa-jelly
    • UMDCTF
      • osint/literally arrakis I
      • osint/literally arrakis II
      • misc/Echoes of Arrakis
      • misc/Spice Harvest Data Recovery
Powered by GitBook
On this page
  • Writeup by Aryan
  • Cartesian 1
  • Cartesian 2 (first blood)
  • Cartesian 3 (first blood)
  1. Writeups
  2. ImaginaryCTF

forensics/cartesian-[1-3]

550, 95, and 91 solves / 100 points each

Previousforensics/playful-puppyNextVSCTF

Last updated 7 months ago

Writeup by Aryan

A three-part OSINT challenge! We have to track down a person called Terrence Descartes.

Cartesian 1

The first and simplest of the three. We are given the guarantee that Terry's social accounts are relatively new and nothing pertaining to him has existed before July 17, 2024. Intuitively, we start looking on social media. We find his Instagram relatively quickly, which has some stories and posts. Going through the stories, we find our first flag!

ictf{i_love_revealing_info_on_the_internet}

Cartesian 2 (first blood)

The second -- and for us, hardest -- of the three. All we're told is that we should look into Terry's trip last summer, and there may be more to him than it seems.

We went down quite a few rabbit holes involving his Instagram account, but couldn't find anything. Everything in the travel😎😎😎 stories was irrelevant. Some of our team members quickly found Terry's LinkedIn, which didn't appear to have much useful info. We also found a Reddit account which we assumed may have been relevant, but there was nothing on it (later on, we received confirmation it was out of scope).

A few minutes later, another teammate found his GitHub, which had a repository on it. Getting someone's email from their GitHub is trivial, just open a commit and add .patch to the end of the URL. We successfully retrieve Terrence's email with this!

Turns out his email is just terrencedescartes@gmail.com. At this point, we were annoyed that we hadn't guessed the email address earlier (although soon enough we would be doing our fair share of guessing).

Finding his email allowed us to perform a lookup through Epieos, which gives us links to his Google Calendar and Google Maps. There were no reviews on the Google Maps (for the time being), so we examine his calendar. Going back to summer 2023, we see an entry titled SUMMER TRIP!!!. Clicking on it gives us the second part of the flag, but not the first.

We were happy to find part two of the flag, but quickly got stumped on trying to find part one. We moved to Cartesian 3 for a while and found everything necessary besides the city Terrence visited last summer for vacation (go figure, that's what we need for Cartesian 2 as well...). It was 8PM EST, and no teams had solved either challenge yet, so we had the suspicion something was broken.

My intuition was telling me there was a Google Maps review that was necessary, but the review wasn't showing up anymore. Another CTF I'd done before had a similar issue, where they put a flag on a Google Maps review and the review got removed. I'm not sure why the reviews get removed, but if it happened once, surely it can happen twice. Such a review could give us both pieces of information: part 1 of the flag and the location Terrence visited last summer.

One of my teammates had a ticket open, and he told the admins about the potential Google review being broken at 8:09 PM EST.

We weren't sure what to do at this point, so I just tried guessing flags. After one or two attempts, I tried submitting ictf{wh3n_th3y_s4y_publ1c as part 1 -- after all, it makes sense, right? When they say public, they mean public.

A few minutes later at 8:24 PM EST, the admins patched the review, which decimated the solve count.

ictf{wh3n_th3y_s4y_publ1c_th3y_m3an_publ1c_9f1b2314}

Cartesian 3 (first blood)

With the wild goose chase we were on for Cartesian 2, this challenge was a breeze, so I'll quickly list all the information and how we found it.

  • email: Terrence's GitHub, append .patch to the end of any commit. terrencedescartes@gmail.com

  • date of birth: Terrence's Instagram username has 2001 in it, so we have the year. He posted about his half-birthday on July 19th, and 182 days before July 19 is January 18th, so the DOB is 2001-01-18.

  • name of favorite pet: Terrence's Instagram also has a picture of his dog. The description says "ilysm bonnie", so the pet's name is Bonnie.

  • childhood city: Possibly the hardest one, but we use the fact that his GitHub says 1114 miles from Seattle and his calendar has an event in late January for an NYC trip which reveals he is 2139 miles from NYC. There was actually a third point revealed which I forgot, but we only need two measurements to narrow down the location to two possible points: guess and check helps us find it is Phoenix

  • name of favorite poet: again, we use his Instagram. his bio says nothing gold can stay, a poem by Robert Frost; he also only follows accounts related to Robert Frost. Thus, the poet is Robert Frost

  • make and model of first car: once again, it's on his Instagram (his latest post); it's a Honda Civic

  • father's birth year: the GitHub we found earlier only has one repository, a birthday card to his father. the second commit reveals that his father is 43 years old, so we get 2024 - 43 = 1981

  • mother's maiden name: Terrence's first LinkedIn post is dedicated to his mother. We find her maiden name is Jackson

  • work company: Terrence's LinkedIn shows his current company to be Cohort Calculations

  • last summer's vacation city: Terrence's most recent LinkedIn post has screenshots of a Google Maps review about the Como Park Zoo, which is in Saint Paul

  • task on August 21: On Terrence's Google Calendar, he has an event for August 21st, which says to Drop off top secret information

  • first job boss: Terrence's LinkedIn reveals that his first job was farming geese under Farmer Johnson

Because that was a lot of info, I've attached the relevant links here again. Here are Terrence's Instagram, LinkedIn, GitHub, Google Calendar, and email. Entering all the info into the website gives us the flag.

In the last writeup I mentioned that we would have been able to guess Cartesian 3 within a few minutes, even if the authors hadn't published the fix to the challenge.

This was because we had figured out all necessary info besides where Terrence went on vacation last summer (that was the only broken part of the challenge). Seeing as how the city was most likely in the US, we had started guessing based on the most populated cities in the country.

Saint Paul was ranked 67th, and we had gotten through the top 50 or so, meaning it was only a matter of time until we would have guessed this location as well.

Nevertheless, we didn't get through guessing in time, and when Eth007 made the announcement, we ended up using the LinkedIn post to find the location and blood the challenge.

ictf{pls_stay_safe_out_there_e072db31b690cfdb}

Flags (again):

Cartesian 1: ictf{i_love_revealing_info_on_the_internet} Cartesian 2: ictf{wh3n_th3y_s4y_publ1c_th3y_m3an_publ1c_9f1b2314} Cartesian 3: ictf{pls_stay_safe_out_there_e072db31b690cfdb}

Part two of the flag
Timestamp is in 24-hour PDT (taken from the transcript)
Quite the lucky guess
Terrence posted part one of the flag in a screenshot on his latest LinkedIn post.
this tool was helpful: https://www.calcmaps.com/map-radius/