You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker's identity.
Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider.
Investigate the incident, find the insider, and uncover the attack actions.
Information
Category: L’espion
Files: c54-Lespion.zip 1.2 MB
— Github.txt 32 b
— office.jpg 145 KB
— WebCam.png 1.1 MB
My Recommendations
Download it from CyberDefenders and verify its SHA1 hash:
sha1sum /path/to/c54-Lespion.zip
SHA1: 733252e85d86a8abc3417fd9dd70a3a71b3f2d90
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/espion && cd Documents/CyberDefenders/espion
One of the best techniques to narrow search results is Google Dorking, this is a useful cheatsheet.
This section is relatively easy, and can be solved quickly. The OSINT Framework is a reliable and user-friendly tool to help you with OSINT.
I relied on Google for the majority of the challenge, but Bing was the only search engine to solve question 10. It’s best to have a couple of search engines open to maximize your reach.
Walkthrough
1. What is the API key the insider added to his GitHub repositories?
File: Github.txt
The contents of the file is a link to the repository. The only repository EMarseille99 didn’t fork is ‘Project-Build—Custom-Login-Page’. The first line of Login Page.js contains the API Key:
Answer: aJFRaLHjMXvYZgLPwiJkroYLGRkNBW
2. What is the plaintext password the insider added to his GitHub repositories?
File: Github.txt
In the same file, ‘Login Page.js’, the insider included a Base64 encoded password:
It decodes to PicassoBaguette99.
Answer: PicassoBaguette99
3. What cryptocurrency mining tool did the insider use?
File: Github.txt
4. What university did the insider go to?
According to her Github Profile, Emilie Marseille works at Software Consultants Inc. Looking for these terms returns Emilie’s Linkedin Page. She studied at Sorbonne in Paris:
Answer: Sorbonne
5. What gaming website the insider had an account on?
Using Sherlock:
python3 sherlock.py EMarseille99
The only Gaming website is Steam Community.
Answer: Steam
6. What is the link to the insider Instagram profile?
Googling for EMarseille99, one of the first matches is an Instagram page for Emilie Marseille. The Profile Picture is the same as the Github Profile picture:
7. Where did the insider go on the holiday? (Country only)
The Insider posted a picture with the caption: ‘Once in a lifetime holiday here, love me some slings x’:
No need to do reverse image search, as the building is part of the Gardens by the Bay park in Singapore.
Answer: Singapore
8. Where is the insider's family live? (City only)
Emilie posted two photos in relation to visiting family and friends:
In the second photo, we can see the Burj Khalifa, which is located in Dubai.
Answer: Dubai
9. You have been provided with a picture of the building in which the company has an office.
Which city is the company located in?
File: office.jpg
This is the image:
The ODEON sign is a giveaway that it’s in the United Kingdom.
Looking in Google for Alexandra Theater UK returns an address in Birmingham.
Answer: Birmingham
10. With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest's suspected address.
They saw them leaving their apartment and followed them to the airport. Their plane took off and has landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?
File: Webcam.png
The Image:
Given the ‘EarthCam’ watermark, we can head to the website and perform an Advanced search.
The Question specifically asks for which ‘state’ is the camera in. Although many countries have states, this type of question is most commonly used when referring to the United States. We can thus create a search with the following filters:
Country: United States
States: ALL
Subcategories: Campus Views
The first camera returned is the one of University of Notre Dame, which has the same view.
Answer: Indiana
