CyberDefenders.org — L’espion Blue Team Lab Walkthrough
OSINT investigation with Google and Sherlock
Introduction:
Welcome to my weekly walkthrough! Have you ever wondered about using passive Open-Source Intelligence (OSINT) to investigate a potentially malicious insider? Well we’re about to do just that by tackling the L’espion Blue Team Lab on CyberDefenders.
This is a threat intelligence challenge requiring us defenders to investigate and incident using passive open-source intelligence (OSINT) to determine the details of the attacker’s identity.
Now what is OSINT anyway? According to the SANS Institute:
Open-Source Intelligence (OSINT) is defined as intelligence produced by collecting, evaluating and analyzing publicly available information with the purpose of answering a specific intelligence question.
So, whether you’re here to learn about OSINT or are just looking for a reference walkthrough for the CyberDefenders L’espion Blue Team Lab , you’ve stumbled on the right spot. In the spirit of learning, I will not be revealing any flags, but I encourage you to follow along during your own investigation and reference this post if you get stuck.
Thanks for reading along, let’s have some fun!
Challenge Link: https://cyberdefenders.org/blueteam-ctf-challenges/lespion/
Challenge Scenario:
You, as a soc analyst, have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker’s identity.
Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider.
Investigate the incident, find the insider, and uncover the attack actions.
Tools
Setup the REMnux Analysis Environment & Extract the challenge file:
Safety first — It’s always a good idea when working with lab/challenge files from CyberDefenders (or any lab/challenge/range) to keep yourself safe by performing these tasks in a dedicated, isolated virtual machine. For example, I’m using REMnux for this challenge and walkthrough.
To keep this write-up focused I’m going to skip a step-by-step setup guide of REMnux. Instead, if you want to set up your own REMnux environment please follow the directions provided by REMnux directly. I opted for the virtual appliance method:
https://docs.remnux.org/install-distro/get-virtual-appliance
Okay! Now that we have our virtual environment created, updated, isolated, and snapshotted, we can download and extract our challenge file and get started!
Question 1: File -> Github.txt: What is the API key the insider added to his GitHub repositories?
All right let’s dive right in and extract the challenge file!
Once we extract the challenge file, we’ll have a few pieces of evidence to review. Question 1 is pointing us to the Github.txt so let’s open it up and see what’s inside!
We have a GitHub URL to examine, so let’s start there, check out the page, and then navigate to the Repositories tab.
There are quite a few forked repositories from other, well-known cybersecurity projects but the top one sticks out as a working repository.
Now that we are in the repository, we have a couple of options — we can either browse the code from our browser or examine it locally. For this challenge, let’s clone this repository so that we can examine the JavaScript (.js) files and scan them for secrets within REMnux.
git clone https://github.com/EMarseille99/Project-Build---Custom-Login-Page.gitLet’s start simple and utilize the strings command so that we can search the code without executing it. To help narrow the results, let’s grep the output and filter only for a specific string. Since we are looking for an API Key, we can just grep “API” — we’ll use the -i to ignore case sensitivity.
Lucky for us, we found an exposed API key in the code. Let’s submit the answer to check our work:
Question 2: File -> Github.txt: What is the plaintext password the insider added to his GitHub repositories?
For Question 2, we’ll try the same approach that we did to locate the API Key. This time, we’ll search for “Password” instead of “API” to look for the credential.
Okay, we found a couple of strings; let’s focus on the bottom two. It looks like we have a complex password string; either the user machine-generated their password or we are looking at some sort of encoding. Fortunately, the last string says Base64, this gives us a clue that the string might be encoded with Base64.
Let’s verify this and see if we can take the password string and convert it from Base64 encoding.
To do this, we’ll just jump into CyberChef since it’s already built-in to REMnux (the online version works, too). Then, we’ll copy the string and apply the “From Base64” operator to the recipe:
Voila! We confirmed that the password string was Base64 encoded, and we can move forward with the investigation.
Question 3: File -> Github.txt: What cryptocurrency mining tool did the insider use?
This time, we will return to the user’s GitHub repositories to see if they have any cryptocurrency mining repositories forked. We’ll take the path of least resistance and use our browser’s find function and search “miner” to locate the answer.
Question 4: What university did the insider go to?
Okay, let’s pivot and move over to utilizing a search engine to find out more information about the insider. We’ll do a quick Google search for the username that we found on GitHub — EMarseille99.
Since we’re looking for professional information, let’s focus on checking LinkedIn first.
The profile picture and job title are a match, so we can be confident that we have discovered the the right profile. More importantly for the scope of this challenge, the user has their university listed!
Question 5: What gaming website the insider had an account on?
From the Google search in the previous question, I didn’t see any clear information that pointed us to a gaming website. So let’s try to expand our search scope a bit by utilizing one of the tools suggested in the challenge scenario — Sherlock.
According to the project’s GitHub page, Sherlock is a tool used to:
Hunt down social media accounts by username across social networks
After following the installation instructions, we’ll enter the username and see what open-source intelligence the tool can locate about the target:
python3 sherlock EMarseille99
Okay, let’s review the output from Sherlock. We see a couple of gaming-related websites here but none of the listed sites match what the challenge is looking for…
Side Note: For the walkthrough, we’re going to skip ahead to Question 6 for now. The process to find the answer for Question 5 is there, too.
Question 6: What is the link to the insider Instagram profile?
Since Sherlock didn’t turn up anything interesting for Instagram either, let’s double check the project’s documentation on GitHub to check if we misconfigured the scan. It turns out that there is a list of sites that have been removed from Sherlock’s scope due to false positives or errors and Instagram is one of them.
That’s unfortunate, but no problem as we can pivot back to Google and focus our search on Instagram.
We’ll get several results, but the top result is a link to the user’s profile. If we copy the link, we will have the insider’s Instagram profile URL!
Now, let’s revisit Question 5 to discover what gaming website the user has a profile on. Let’s review our previous Google search where one of the results catches our eye and might help us to answer Question 5:
Once we click into the post, we can see that the user is inviting people to play games with them using a QR code link.
If you follow the URL in the QR code, we are taken to the user’s gaming profile, and we now have the answer to Question 5!
Question 7: Where did the insider go on the holiday? (Country only)
Let’s continue browsing the user’s Instagram posts to see if we can find any clues. Eventually, we stumble on this post — notice the comment with the photo which mentions holiday?
Let’s take this photo and see if we can leverage Google reverse image search on https://images.google.com to determine the location the photograph was taken?
Once we drop the photo into Google, we can quickly determine what country this location is in — very cool!
Question 8: Where is the insider family live? (City only)
Sticking with Instagram, we’ll continue reviewing the posts. We’ll find one post that mentions family.
If we try the Google image search like we did for the last question however, we’ll find that the results are inconclusive. We probably need to keep looking, don’t we?
Did you notice that the post mentioned it was Photo 1/2? What if we check out the second photo? This one looks a little more distinctive. Let’s try the Google search again.
This time the results are much more specific! Let’s confirm our findings:
Question 9: File -> office.jpg: You have been provided with a picture of the building in which the company has an office. Which city is the company located in?
Okay, we’re closing in on the end of the investigation. This time we’re going to return to the evidence files that we downloaded for the challenge and focus on the image office.jpg.
Once we open the image, we can focus on the street sign which notes some nearby landmarks.
We can search any of these landmarks on Google to discover which city this image was taken in. For example, I chose the landmarks on the left-hand sign:
Question 10: File -> Webcam.png: With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and has landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?
All right, we made it to the last question! Let’s determine where the target landed.
We’ll upload the evidence file, WebCam.png into the Google image search one more time.
Right away, we’ll get several results with the name of the landmark — we simply need to Google that landmark to determine what state it is in!
Conclusion:
Excellent job with the investigation! We made it through the L’espion Blue Team Lab and collected valuable intelligence on the target.
To wrap this up, thank you to CyberDefenders for the entertaining lab and the opportunity to engage with of the world of OSINT. The research process using Google and Sherlock was really interesting and got me thinking creatively while exploring just how much exposure a user might have online.
Thank you so much for reading along, too! I hope that you had as much fun as I did and learned something new, too. Until next week — stay curious!
Tools & References:
SANS: https://www.sans.org/blog/what-is-open-source-intelligence/
REMnux: https://docs.remnux.org/install-distro/get-virtual-appliance
CyberChef: https://gchq.github.io/CyberChef/
Sherlock: https://github.com/sherlock-project/sherlock
Google: https://images.google.com/
