L’espion Blue Team Lab

# L'espion Blue Team Lab :::success https://cyberdefenders.org/blueteam-ctf-challenges/73#nav-questions ::: :::info You, as a soc analyst, have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker's identity. Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider. Investigate the incident, find the insider, and uncover the attack actions. ::: #### 1. File -> Github.txt. What is the API key the insider added to his GitHub repositories? ``` aJFRaLHjMXvYZgLPwiJkroYLGRkNBW ``` ![截圖 2024-01-19 下午3.10.40](https://hackmd.io/_uploads/HJA_gsvYa.jpg) #### 2. File -> Github.txt. What is the plaintext password the insider added to his GitHub repositories? ``` PicassoBaguette99 ``` ![截圖 2024-01-19 下午3.12.19](https://hackmd.io/_uploads/rkL1WiPKp.jpg) ![截圖 2024-01-19 下午3.12.57](https://hackmd.io/_uploads/BktWbjDt6.jpg) #### 3. File -> Github.txt. What cryptocurrency mining tool did the insider use? ``` xmrig ``` ![截圖 2024-01-19 下午3.15.20](https://hackmd.io/_uploads/SJU9bjwta.jpg) #### 4. What university did the insider go to? ``` Sorbonne ``` linkedin上介紹寫的是Sorbonne大學 ![截圖 2024-01-19 下午3.24.31](https://hackmd.io/_uploads/HkC2XiPYp.jpg) #### 5. What gaming website the insider had an account on? ``` steam ``` IG帳號上的qrcode是steam的帳號好友邀請 ![截圖 2024-01-19 下午3.25.38](https://hackmd.io/_uploads/BkgWNiPYa.jpg) #### 6. What is the link to the insider Instagram profile? ``` https://www.instagram.com/emarseille99/ ``` ![截圖 2024-01-19 下午3.32.39](https://hackmd.io/_uploads/SyQiSsDF6.jpg) #### 7. Where did the insider go on the holiday? (Country only) ``` Singapore ``` 從照片得知是Singapore ![截圖 2024-01-19 下午3.33.44](https://hackmd.io/_uploads/Syry8iwtT.jpg) #### 8. Where is the insider's family live? (City only) ``` Dubai ``` 用google圖搜圖，可以知道是在杜拜 ![截圖 2024-01-19 下午3.35.00](https://hackmd.io/_uploads/rkZV8jwFp.jpg) ![截圖 2024-01-19 下午3.36.06](https://hackmd.io/_uploads/BkEdLiDFp.jpg) #### 9. File -> office.jpg. You have been provided with a picture of the building in which the company has an office. Which city is the company located in? ``` Birmingham ``` 用google圖搜圖，可以知道是在伯明罕 ![截圖 2024-01-19 下午3.41.11](https://hackmd.io/_uploads/SyUowswYp.jpg) #### 10. File -> Webcam.png. With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest's suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and has landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in? ``` Indiana ``` 用google圖搜圖，可以知道是在聖母大學，其位在印第安納州 ![截圖 2024-01-19 下午3.42.24](https://hackmd.io/_uploads/rJ01dswKa.jpg)