CyberDefenders L’espion writeup

finx

Follow

6 min readJan 4, 2023

--

The challenge link:

CyberDefenders: L'espion blueteam challenge.

CyberDefenders is a training platform for #BlueTeams to test and advance their #CyberDefense skills.

cyberdefenders.org

Prep for this challenge:

A sock account to open Instagram (if you have your account then use yours), follow this link for the setup: How to Setup Sock Account [Cybervie]
Reverse image search browser extension. In this writeup, I will use RevEye Reverse Image search on firefox. This tool also available on chrome and microsoft edge

[File given in the challenge zip file]

In that file there are 3 file given: Github.txt, office.jpg and WebCam.png

[The Questions]

note: repo = repository (the term is quite long to type)

File -> Github.txt:
What is the API key the insider added to his GitHub repositories?

Open the Github.txt file, the target github page link is available there

Copy paste the URL and open it in your fav browser

Go to Repositories tab and open the first repo there

As seen here, the first repo is a login page. Maybe, there are hardcoded credentials in there since it is working repo

Open the Login Page.js, our answer is in the first line of the file

2. File -> Github.txt:
What is the plaintext password the insider added to his GitHub repositories?

Scroll through the LoginPage.js file untill found password

Not entirely plaintext but the target uses base64. That’s the most common cipher in CTF to the point that people recognize it straight like that

Use Base64 decoder (https://www.base64decode.org/) to get the flag

3. File -> Github.txt:
What cryptocurrency mining tool did the insider use?

Search the word “mine” in the target’s repo

4. What university did the insider go to?

For this challenge, we will use “sherlock” tool to search the name through multiple social media. I will use this tool on Kali Linux since the download would be straight forward.

GitHub - sherlock-project/sherlock: 🔎 Hunt down social media accounts by username across social…

Hunt down social media accounts by username across social networks Installation | Usage | Docker Notes | Contributing #…

github.com

Tips: please open Readme.md file after you git clone the repo, from there you’ll get how to install this tool and how to use them.

Use the “sherlock” tool to search EMarseille99

There are 2 interesting link here, the Facebook one and the Instagram one

Open the interesting link and see if got any information

The Facebook one is not very useful here

The Instagram however, we got the full name of the target which is Émilie Marseille

Search Émilie Marseille on Google

As seen here, the search shows that the target have a LinkedIn account

Open the LinkedIn profile and browse through the education section

As seen here, the target’s alma mater would be Sorbonne University which is the flag for this question

5. What gaming website the insider had an account on?

As seen before, there is no gaming related website when we use EMarseille99 but on Instagram, there is a new username emarseille99. Lets try search that on sherlock.

The new username location on target’s Instagram page

The sherlock search result. Kinda the same as the previous one.

Search steam ID directly using https://www.steamidfinder.com/lookup/EMarseille99/

This is the result of the search, As seen here, the target have a Steam account, kinda weird why sherlock didn’t catch this

6. What is the link to the insider Instagram profile?

Open back the Instagram profile gathered earlier and copy the URL as the answer

7. Where did the insider go on the holiday? (Country only)

Browse through the target’s Instagram account

We can see the picture of Marina Bays, SIngapore here on the post. The answer here would be Singapore

> If you don’t know the place ( I am from Malaysia so unfair advantage for me)

Use any search engine reverse image search and search the picture. I use Google Image Search

The result of the search, we can see that this building is in Singapore

8. Where is the insider’s family live? (City only)

Browse through the target’s Instagram until you get to this pic

This skyscraper looks like Burj Khalifa, let us confirm that by reverse image search this image

Reverse image search the image and crop on the skyscraper

My gut instinct is correct, It is Burj Khalifa

Open the google search for Burj Khalifa to confirm the city of the family’s location

9. File -> office.jpg:
You have been provided with a picture of the building in which the company has an office. Which city is the company located in?

Open the office.jpg and check is there any landmark that usable for geolocation

Use the Reverse Image Search extension and search for all search engine

Method on how to use it: Just right click the picture and choose the Reverse image search option

This is the result for the Google. Straight away got the place

This is for Bing, nope, didn’t got the place but got OCR(extract text from pic)

Yandex also got the place just the search engine shows London as the first result, kinda confusing

10. File -> Webcam.png:
With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest’s suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and has landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?