CyberDefender - L'espion

Posted on 2024-01-31 | Post modified | In Security/Practice/CyberDefender/Threat Intel |

CyberDefender - L’espion

Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/73

:::spoiler TOC [TOC] :::

Scenario

You, as a soc analyst, have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker’s identity.

Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider.

Investigate the incident, find the insider, and uncover the attack actions.

Tools

Google Maps
Google Image search
sherlock

==Q1==

File -> Github.txt: What is the API key the insider added to his GitHub repositories?

Recon

直接在github key word search，就找到了

:::spoiler Flag Flag: aJFRaLHjMXvYZgLPwiJkroYLGRkNBW :::

==Q2==

File -> Github.txt: What is the plaintext password the insider added to his GitHub repositories?

Exploit

還是和上一題一樣慢慢找，終於找到一個base64的密碼

>>> b64decode(b'UGljYXNzb0JhZ3VldHRlOTk=')
b'PicassoBaguette99'

:::spoiler Flag Flag: PicassoBaguette99 :::

==Q3==

File -> Github.txt: What is the plaintext password the insider added to his GitHub repositories?

Recon

像第一題一樣直接key word search

:::spoiler Flag Flag: xmrig :::

==Q4==

What university did the insider go to?

Recon

看了第一個hint，發現可以用linkedin找大學

:::spoiler Flag Flag: Sorbonne :::

==Q5==

What gaming website the insider had an account on?

Exploit

這一題是通靈，答案是steam，但是其實在此刻(2023/11/06)，這個帳號已經消失了，所以就算用sherlock，都會找不到

$ conda create --name sherlock python=3.10 -y
$ pip install -r requirements.txt
$ python sherlock/sherlock.py EMarseille99
[*] Checking username EMarseille99 on:

[+] CNET: https://www.cnet.com/profiles/EMarseille99/
[+] Dealabs: https://www.dealabs.com/profile/EMarseille99
[+] G2G: https://www.g2g.com/EMarseille99
[+] GitHub: https://www.github.com/EMarseille99
[+] Lolchess: https://lolchess.gg/profile/na/EMarseille99
[+] Twitter: https://twitter.com/EMarseille99
[+] Virgool: https://virgool.io/@EMarseille99
[+] Whonix Forum: https://forums.whonix.org/u/EMarseille99/summary
[+] metacritic: https://www.metacritic.com/user/EMarseille99

[*] Search completed with 9 results

:::spoiler Flag Flag: steam :::

==Q6==

What is the link to the insider Instagram profile?

Recon

直接google search: Émilie Marseille

:::spoiler Flag Flag: https://www.instagram.com/emarseille99/ :::

==Q7==

Where did the insider go on the holiday? (Country only)

Recon

直接看IG的貼文，可以用image search搜尋圖片，發現這就是新加坡濱海灣金沙飯店

:::spoiler Flag Flag: Singapore :::

==Q8==

Where is the insider’s family live? (City only)

Recon

可以先觀察IG post 1和IG post 2

Exploit

第一張圖片可以看到若隱若現的國旗，可能是Jordan / Palestine / United Arab Emirates，這三個國家的國旗都很像，再看第二張圖片可以發現有一個高塔，幾乎確定就是杜拜塔，也很符合他的國家(United Arab Emirates)

:::spoiler Flag Flag: Dubai :::

==Q9==

File -> office.jpg: You have been provided with a picture of the building in which the company has an office. Which city is the company located in?

Recon

直接找hippodrome theatre chinese quarter就知道是在英國的Birmingham

:::spoiler Flag Flag: Birmingham :::

==Q10==

File -> Webcam.png: With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest’s suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and has landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?

Recon

直接丟到image search就知道是university of notre dame，就在印第安納州

:::spoiler Flag Flag: INDIANA :::

Reference

Post author: SBK6401
Post link: https://bernie6401.github.io/security/practice/cyberdefender/threat%20intel/2024/01/31/CyberDefender-L'espion/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.