Lespion Lab

CyberDefenders Threat Intel Lab

You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker’s identity.

Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider. Investigate the incident, find the insider, and uncover the attack actions.

Question 1

File -> Github.txt: What API key did the insider add to his GitHub repositories?

Answer 1

After looking at a couple of the projects, the “Custom-Login-Page” seemed to have a exposed API key that looked quite suspicious.

Press enter or click to view image in full size

Question 2

File -> Github.txt: What plaintext password did the insider add to his GitHub repositories?

Answer 2

Scrolling further down in the page, you can find a password strored in base64, which can quickly be decoded using an online tool.

Password: UGljYXNzb0JhZ3VldHRlOTk=
PicassoBaguette99

Question 3

File -> Github.txt: What cryptocurrency mining tool did the insider use?

Answer 3

Searching through the other repositories, yields me with the answer: xmrig.

Question 4

On which gaming website did the insider have an account?

Answer 4

The Github user shared the same unique username across multiple platforms, one of which was Steam.

Question 5

What is the link to the insider Instagram profile?

Answer 5

From the same DuckDuckGo result, you can easily find the insiders Instagram link.

Question 6

Which country did the insider visit on her holiday?

Answer 6

Looking further into the Instagram profile, I recognized Singapore as the holiday destination of the insider.

Question 7

Which city does the insider family live in?

Answer 7

Some of the earlier photos on the Insiders Instagram pointed me towards Dubai as the answer. Along with the caption about their family.

Question 8

File -> office.jpg: You have been provided with a picture of the building in which the company has an office. Which city is the company located in?

Answer 8

A quick search for some of the landmarks that were on the signs, lead me finding the answer; Birmingham.

Question 9

File -> Webcam.png: With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?

Answer 9

A quick reverse image search on the Earthcam image provided yielded a result of Indiana.

Lab complete!