L’espion Walkthrough — Cyberdefenders
Challenge Link: L’espion
Challenge Details:
You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker’s identity. Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider. Investigate the incident, find the insider, and uncover the attack actions.
Tools/Techniques:
- File -> Github.txt:
What is the API key the insider added to his GitHub repositories?
The provided GitHub account has 14 Repositories.
We can find the API key by checking the Login Page.js file under the first repository (Project-Build — -Custom-Login-Page).
2. File -> Github.txt:
What is the plaintext password the insider added to his GitHub repositories?
Scrolling down on the Login Page.js, I discovered the Password, which was Base64 encoded.
We can use CyberChef to decode the password with the From Base64 operation.
3. File -> Github.txt:
What cryptocurrency mining tool did the insider use?
I checked the description of the 14 repositories individually and found 1 repo related to crypto mining.
4. What university did the insider go to?
Sherlock is an open-source tool that can be used to scan multiple social networks with the username you provided.
python3 sherlock EMarseille99The image above shows the username EMarseille99 used in AllMyLinks, CapFriendly, GitHub, Instagram, Spotify, Steam, and TradingView.
I checked the Instagram account and found the full name of the insider.
Then I used google dork to find her LinkedIn account.
intext:Émilie Marseille site:www.linkedin.comThe image above shows some information about the insider including the school where she studies.
5. What gaming website the insider had an account on?
The results from Sherlock displayed the gaming site where the insider has an account.
The insider also post a QR code from her Instagram, but I didn’t scan it. I’m not sure if this is related to an online game.
6. What is the link to the insider Instagram profile?
The results from Sherlock also displayed the insider’s Instagram.
Or use the filter below:
intext:EMarseille99 site:www.instagram.com7. Where did the insider go on the holiday? (Country only)
The photo posted by the insider on her Instagram shows that she is taking a holiday in Singapore. I recognized the building with a boat on top (Marina Bay Sands).
Another option is to download the image from Instagram and then drag & drop it into Google Images. Google will display similar photos and the name of the park.
8. Where is the insider’s family live? (City only)
I found 2 images from her Instagram where the insider’s family lives. The first image shows the flag of the country.
I’m not good at identifying flags, but I recognized that this is a flag of an Arab country. I search online and found the list of Arab countries’ flags in Wikipedia. The image below shows that this is a United Arab Emirates flag.
I googled “United Arab Emirates skyscraper” since I’ve noticed the tall building in the second image.
I opened the article from the first results and compared the building.
It seems that the building in the article is similar to the building in the second image. The article also mentioned that this is located in Dubai, and the placeholder on this question starts with the letter D.
9. File -> office.jpg:
You have been provided with a picture of the building in which the company has an office. Which city is the company located in?
I combined the 2 building names “Grand Central Odeon” and searched in Google Images. I open the first results, and it shows the location of the Company.
10. File -> Webcam.png:
With the intel you have provided, our ground surveillance unit is now overlooking the person of interest’s suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and has landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?
The image above has the Company name of the webcam that captured the image. I searched “earthcam dome aerial view” in Google Images and found similar photos. I clicked the 3rd result, which was redirected to the EarthCam Facebook page.
If you click the link provided on the Facebook page, you will be redirected to the EarthCam website, and it displays some information, including the State where the camera is located.
