Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Flag Step Progression (this assumes the user already determined the `13.56.108.41` address in previous flags)
- ##Grab SSL for email pivot
- * This could have been done multiple ways, but Censys would have been easiest.
- Specifics of the cert found at the IP were as follows:
- * **metadata.added_at**: `2017-07-06T20:52:58+00:00`
- * **parsed.__expanded_names**: `com, x64-corp.com, prod02.x64-corp.com`
- * **parsed.fingerprint_sha1**: `136baff94917a2107dda8dbe582815331e86e230`
- * **parsed.issuer.organizational_unit**: `Rafaela.Pereira@x64-corp.com`
- * **parsed.issuer_dn**: `CN=prod02.x64-corp.com, OU=Rafaela.Pereira@x64-corp.com, O=x64Corp, L=SanFransisco, ST=CA, C=US`
- * **Validity**: `2017-07-05 18:22:38 to 2018-07-05 18:22:38 (365 days, 0:00:00)`
- The key pivot takeway here would be the email address: `Rafaela.Pereira@x64-corp.com`
- ##Find additional account information
- * A basic Google search for the email address would have led to the following Pastes:
- * `hxxps://pastebin[.com/2nZ5BLav`
- * This would have given you the following additional information:
- * DOB: 11 April 1983
- * Twitter: @i4mrafaela
- * `hxxps://pastebin[.com/hpkBJgDg`
- * This was a false pivot and led nowhere (kisses)
- * The Twitter account has mostly useless posts except for one hint that hints at the nickname `Donovan`
- * Since they have a Twitter, they might have a Facebook?
- * Searching the email address on Facebook would lead us to this profile:
- * `hxxps://www.facebook[.]com/profile.php?id=100019421580542`
- ###Facebook
- * Hints on the Facebook page:
- * Nickname: donovan
- * Multiple hints would have led the user here (Profile website is submit ID for malwr & fave quote is sample hash) :
- * `hxxps://malwr[.]com/analysis/MjEyM2U1MmIzM2JmNDYzNTk5YmQ5YWNiOGRkMDNjNmU/`
- * Response to one of the comments on July 20 was a password:
- * `??42|french|MONDAY|type|EXPECT|were|TEACHER|82??`
- ##File Analysis
- Once the user figured out the Malwr and hash hints, it would have led to the following report:
- * `hxxps://malwr[.]com/analysis/MjEyM2U1MmIzM2JmNDYzNTk5YmQ5YWNiOGRkMDNjNmU/`
- File Specifics:
- * **FILE NAME**: 5.jpg
- * **FILE SIZE**: 6888 bytes
- * **FILE TYPE**: JPEG image data, EXIF standard 2.3
- * **MD5**: `422ac9912efaa7ae6bf4160bbf9d5da2`
- * **SHA1**: `ecdba596e0ba8e3ec0f3147980ed22faf0fcf020`
- * **SHA256**: `316908561be9ce44349610a0753357198d32b41079d6d9e3d6883146ce6d193f`
- ##EXIF Data
- * **File Type**: JPEG
- * **MIME Type**: image/jpeg
- * **Processing Software**: `pyExifToolGui 0.5`
- * **Image Description**: `ZmlmdHktdHdvLm5pbmUuc2l4dHktZml2ZS50d28tdHdlbnR5LWZpdmU=`
- * **Artist**: `Rafaela Pereira`
- * **Copyright**: `x64-corp`
- * **User Comment**: `eff-tee-pee`
- * The fact that the Processing Software is `pyExifToolGui 0.5` would lead an analyst to believe that possible exif modification had been performed.
- * Image description is a Base64 encoded string, decodes to: `fifty-two.nine.sixty-five.two-twenty-five` | `52.9.65[.]225`
- * User Comment is: `eff-tee-pee` (FTP)
- The information within the exif would have led the analyst to the following: `ftp://52.9.65[.]225`
- ##Accessing FTP (Getting the Flag!)
- * Site location: `ftp://52.9.65[.]225`
- * Username: previously listed as a username on the Facebook page - `donovan`
- * Password: previously posted as a comment on the Facebook page - `??42|french|MONDAY|type|EXPECT|were|TEACHER|82??`
- Once the analyst reaches this page, they are met with a file whose contents were:
- * `"Amidst the mists and coldest frosts he thrusts his fists against the posts and still insists he sees the ghosts"`
- ##How you could have cheated
- * The avatar for the social media counts was intentionally chosen. A reverse image search would have led to the movie/book title: `Donovan's Brain`
- * A search for the nickname "Donovan", plus the word "brain", would have also led to the title
- * An example wikipedia entry lists one of the books more popular quotes:
- * `"Amidst the mists and coldest frosts he thrusts his fists against the posts and still insists he sees the ghosts."`
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement