Published on

CyberDefenders - L'espion

Authors
  • avatar
    Name
    Emma
    Twitter

Cyber Defenders - L'espion

Case Overview: You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker's identity. Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider. Investigate the incident, find the insider, and uncover the attack actions.

Link to Challenge

Tools Used:

Verify the hash of the download.

Image file name: c54-Lespion.zip

Computed Hash:

  • SHA1: 733252e85d86a8abc3417fd9dd70a3a71b3f2d90

After unzipping the file, we are presented with a folder that contained three files: Github.txt, office.jpg, and WebCam.png.

First, I inspected Github.txt. It contained the following URL: https://github.com/EMarseille99

The URL leads us to "EMarseille99's" GitHub profile.

CD_LESPION_MAIN

Browsing the GitHub profile allows us to answer the first few questions...but lets do a little more digging now that we have a few more details.

Googling "username search", will give us a list of websites we can use to figure out where else this person might have other accounts.

I used "Instant Username Search" and got a few hits for "Emarseille99" on several other sites.

Because it was a suggested tool, I also used Sherlock.

CD_LESPION_MAIN2
CD_LESPION_MAIN3

#1: File -> Github.txt: What is the API key the insider added to his GitHub repositories?

I started this challenge by browsing the user's GitHub repositories one by one to find the API key.

Posting API keys in GitHub repositories is not advisable due to the potential security risks involved. These risks include unauthorized access, an expanded attack surface, compromised credentials, and the possibility of violating compliance regulations.

CD_LESPION_Q1

#2: File -> Github.txt: What is the plaintext password the insider added to his GitHub repositories?

Located in the same repository is a password. This password was written and saved to the reposiroty in base64. We can copy and paste it into a decoder of choice. I used BASE 64 Decode and Encode. Another option for decoding Base64 is CyberChef.

CD_LESPION_Q2

#3: Github.txt: What cryptocurrency mining tool did the insider use?

Searching the other repositories in this user's GitHub account helped me find the answer.

CD_LESPION_Q3

#4: What university did the insider go to?

Several places exist where individuals may share their educational history, with LinkedIn being a favored option. By searching for the person's name on LinkedIn, we can locate a profile that corresponds to the profile picture observed on other accounts, as well as the employer indicated on their GitHub account.

CD_LESPION_Q4

#5: What gaming website the insider had an account on?

I found this answer while using the site, "Instant Username Search" in the beginning of our investigation.

After performing a Google search for the given GitHub username "Emarseille99," I immediately found an Instagram user with an identical username. The same profile picture was used on both the GitHub and Instagram accounts.

CD_LESPION_Q6

#7: Where did the insider go on the holiday? (Country only)

Upon examining the target's Instagram page, we encountered a photograph uploaded on May 23, 2020, with a caption that read "Once in a lifetime holiday here, love me some slings x". To narrow down our search, we saved the picture to our desktop, uploaded it to Bing Image Search, cropped only the most pertinent feature, the prominent building situated in the center. I obtained the answer from the resulting search outcomes.

CD_LESPION_Q7

#8: Where is the insider's family live? (City only)

The insider posted two pictures to their Instagram account that referred to family. There was 1/2, and 2/2. The 2/2 picture had a distinguishing landmark in the photograph. I save this picture, uploaded it to Google Image Search and cropped it to only search that landmark.

CD_LESPION_Q8

#9: File -> office.jpg: You have been provided with a picture of the building in which the company has an office. Which city is the company located in?

I was not immediately familiar with anything in the photo. Upon zooming in, I could see "Hippodrome Theatre". Googling Hippodrome Theatre will give you the answer.

#10: File -> Webcam.png: With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest's suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and has landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?

Webcam.png appears to be a photo from a LIVE webcam due to the LIVE sticker in red at the top of the photo. At the top of the picture it also says, "A View from the Dome". I Googled "A View from the Dome" LIVE Webcam and got my answer.

CD_LESPION_Q10

Here is the link to the live Webcam. It is pretty neat!