Untitled

#Flag Step Progression (this assumes the user already determined the `13.56.108.41` address in previous flags)

##Grab SSL for email pivot

* This could have been done multiple ways, but Censys would have been easiest.

Specifics of the cert found at the IP were as follows:

* **metadata.added_at**: `2017-07-06T20:52:58+00:00`
* **parsed.__expanded_names**: `com, x64-corp.com, prod02.x64-corp.com`
* **parsed.fingerprint_sha1**: `136baff94917a2107dda8dbe582815331e86e230`
* **parsed.issuer.organizational_unit**: `Rafaela.Pereira@x64-corp.com`
* **parsed.issuer_dn**: `CN=prod02.x64-corp.com, OU=Rafaela.Pereira@x64-corp.com, O=x64Corp, L=SanFransisco, ST=CA, C=US`
* **Validity**: `2017-07-05 18:22:38 to 2018-07-05 18:22:38 (365 days, 0:00:00)`

The key pivot takeway here would be the email address: `Rafaela.Pereira@x64-corp.com`

##Find additional account information
* A basic Google search for the email address would have led to the following Pastes:
  * `hxxps://pastebin[.com/2nZ5BLav`
    * This would have given you the following additional information:
       * DOB: 11 April 1983
       * Twitter: @i4mrafaela
  * `hxxps://pastebin[.com/hpkBJgDg`
    * This was a false pivot and led nowhere (kisses)
* The Twitter account has mostly useless posts except for one hint that hints at the nickname `Donovan`
* Since they have a Twitter, they might have a Facebook?
  * Searching the email address on Facebook would lead us to this profile:
    * `hxxps://www.facebook[.]com/profile.php?id=100019421580542`

###Facebook
* Hints on the Facebook page:
  * Nickname: donovan
  * Multiple hints would have led the user here (Profile website is submit ID for malwr & fave quote is sample hash) :
    * `hxxps://malwr[.]com/analysis/MjEyM2U1MmIzM2JmNDYzNTk5YmQ5YWNiOGRkMDNjNmU/`
  * Response to one of the comments on July 20 was a password:
    * `??42|french|MONDAY|type|EXPECT|were|TEACHER|82??`

##File Analysis
Once the user figured out the Malwr and hash hints, it would have led to the following report:
* `hxxps://malwr[.]com/analysis/MjEyM2U1MmIzM2JmNDYzNTk5YmQ5YWNiOGRkMDNjNmU/`

File Specifics:
* **FILE NAME**: 5.jpg
* **FILE SIZE**: 6888 bytes
* **FILE TYPE**: JPEG image data, EXIF standard 2.3
* **MD5**: `422ac9912efaa7ae6bf4160bbf9d5da2`
* **SHA1**: `ecdba596e0ba8e3ec0f3147980ed22faf0fcf020`
* **SHA256**: `316908561be9ce44349610a0753357198d32b41079d6d9e3d6883146ce6d193f`

##EXIF Data
* **File Type**: JPEG
* **MIME Type**: image/jpeg
* **Processing Software**: `pyExifToolGui 0.5`
* **Image Description**: `ZmlmdHktdHdvLm5pbmUuc2l4dHktZml2ZS50d28tdHdlbnR5LWZpdmU=`
* **Artist**: `Rafaela Pereira`
* **Copyright**: `x64-corp`
* **User Comment**: `eff-tee-pee`

* The fact that the Processing Software is `pyExifToolGui 0.5` would lead an analyst to believe that possible exif modification had been performed.
* Image description is a Base64 encoded string, decodes to: `fifty-two.nine.sixty-five.two-twenty-five` | `52.9.65[.]225`
* User Comment is: `eff-tee-pee` (FTP)

The information within the exif would have led the analyst to the following: `ftp://52.9.65[.]225`

##Accessing FTP (Getting the Flag!)
* Site location: `ftp://52.9.65[.]225`
* Username: previously listed as a username on the Facebook page - `donovan`
* Password: previously posted as a comment on the Facebook page - `??42|french|MONDAY|type|EXPECT|were|TEACHER|82??`

Once the analyst reaches this page, they are met with a file whose contents were:
* `"Amidst the mists and coldest frosts he thrusts his fists against the posts and still insists he sees the ghosts"`

##How you could have cheated
* The avatar for the social media counts was intentionally chosen. A reverse image search would have led to the movie/book title: `Donovan's Brain`
* A search for the nickname "Donovan", plus the word "brain", would have also led to the title
* An example wikipedia entry lists one of the books more popular quotes:
 * `"Amidst the mists and coldest frosts he thrusts his fists against the posts and still insists he sees the ghosts."`