Back to Archive
🔵 Blue Team
3 min read

Lespion

Investigate an insider threat by analyzing GitHub repositories for exposed credentials, using OSINT tools to correlate online accounts, and performing image analysis to identify locations.

2026-03-25
rwx4m@vault
#threat-intel#cyberdefenders#blue
View Challenge Room

Scenario

You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker's identity.

Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider. Investigate the incident, find the insider, and uncover the attack actions.

Q1: What API key did the insider add to his GitHub repositories?

Melalui link github diketahui bahwa akun ini memiliki beberapa repository. Task meminta untuk mencari API KEY. Saya manfaatkan fitur search github untuk menelusuri isi repository akun tersebut. Disini saya mendapatkan Api key yang berkaitan dengan file "Login Page.js"

0

1 1a

Q2: What plaintext password did the insider add to his GitHub repositories

Password juga ditemukan pada file yang sama di "Login Page.js" yang menyebutkan bahwa ini adalah format base64. Kemudian melakukan decode menggunakan Cyberchef.

2

Q3: What cryptocurrency mining tool did the insider use?

Disini saya manfaatkan kembali fitur search Github dengan kata kunci "CRYPTO", saya menemukan beberapa yang terkait dengan "xmrig"

3 3a 3b 3c 3d 3e

Q4: On which gaming website did the insider have an account?

Menggunakan search engine untuk mencari nama akun yang terkait, saya temukan akun game yang bersangkutan di "steam". 44a

Q5: What is the link to the insider Instagram profile?

Masih menggunakan search engine, saya temukan lagi akun instagram yang bersifat publik. 55a

Q6: Which country did the insider visit on her holiday?

Menelusi postingan, saya menemukan foto yang jika di cari ini mengarah pada tempat yang berada di Singapore. Yang berarti ini adalah hasil foto dari yang bersangkutan saat berada disana. 66a

Q7: Which city does the insider family live in?

Masih menelusi file dari dalam akun instagram, di konfirmasi bahwa ini adalah tempat tinggal keluarganya di Dubai dengan memastikannya menggunakan image search 7 7a 7b

Q8: You have been provided with a picture of the building in which the company has an office. Which city is the company located in?

Pencarian ini bersangkutan dengan sebuah lokasi perkantoran yang dicocokan dengan hasil pencocokan gambar yang berada di singapore. 8

Q9: With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?

Berdasarkan hasil pencocokan gambar, lokasi tersebut berada di Indiana, United States.

9 9a

cert

Share this writeup:Switch to classic view
Last updated: 2026-03-25
Previous
Yellow RAT
Next
Veriarty
Browse All Writeups