L’espion Blue Team Challenge walkthrough Write-Up

BY: Ahmed Nasser

Category : Threat Intel ( Github , BloodHound, OSINT, Mimikatz)

level : Easy

Challenge Download Link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/73

Scenario:

You, as a soc analyst, have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker’s identity.

Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider.

Investigate the incident, find the insider, and uncover the attack actions.

Tools

• Google Maps
• Google Image search
• sherlock

Q1-
File -> Github.txt:
What is the API key the insider added to his GitHub repositories?

• Go to GitHub link provided by the challenge files (Github.txt) and open the link in the browser:

• Go to the Repositories , and go to the first Repository :

• Open The Repository one and go Login Page.js , you will see the API Key :

THE Answer : aJFRaLHjMXvYZgLPwiJkroYLGRkNBW

Q2-
File -> Github.txt:
What is the plaintext password the insider added to his GitHub repositories?

• In the same file Login Page.js , scroll down and you will get the hash of the of the password (base64) , go to CyberChef to get the password :

THE Answer : PicassoBaguette99

Q3-
File -> Github.txt:
What cryptocurrency mining tool did the insider use?

• Check The other Repositories , you will see a xmrig Repository which is cryptocurrency mining tool :

THE Answer : XMRig

Q4-What university did the insider go to?

• We Need another social media account to the insider like LinkedIn or Instagram , To do that I just search with the username in google :

• open the LinkedIn profile , you will see university name :

THE Answer : Sorbonne

Q5-What gaming website the insider had an account on?

• from the image above you will see steam (gaming website) so the answer is :

THE Answer : steam

Q6-What is the link to the insider Instagram profile?

• Go to the insider Instagram profile and easy copy the link

THE Answer : https://www.instagram.com/emarseille99/

Q7-Where did the insider go on the holiday? (Country only)

• check the Instagram photos , and check this photo :

• To know which country the image was taken in , Just search this image in the internet , you can see the name of country :

THE Answer : Singapore

Q8-Where is the insider’s family live? (City only)

• I Checked The other images in Instagram , and I got those images:

• when I saw UAE flag and Khalifa tower , I was sure the city is Dubai.

THE Answer : Dubai

Q9-File -> office.jpg:
You have been provided with a picture of the building in which the company has an office. Which city is the company located in?

• On the JPG provided in challenge files and search in Google Maps for “Hippodrome Theatre” :

THE Answer : Birmingham

Q10-File -> Webcam.png:
With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest’s suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and has landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?

• I opened Webcam.png (provided in challenge files), I noticed this name :

• So I search in Google with this name (EarthCam a view from the dome)

• So the image was taken in University of Notre Dame , go to the university location, you will the answer :

THE Answer : Indiana

THE END

BY : Ahmed Nasser