https://cyberdefenders.org/labs/73

Table of Contents

Description

You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker's identity.

Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider.

Investigate the incident, find the insider, and uncover the attack actions.

Questions

1: File -> Github.txt: What is the API key the insider added to his GitHub repositories?

The Github.txt file links to a user page: https://github.com/EMarseille99

The first thing I'll do is take a look around. If they have a large number of repos with a large number of files, I might have to download it all and do some searching, or try some automated tools. But maybe I'll get lucky.

And I do. Top repo, top file:

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/336cfb22-5bf6-428f-8177-f5e3670df090/Untitled.png

aJFRaLHjMXvYZgLPwiJkroYLGRkNBW

2: File -> Github.txt: What is the plaintext password the insider added to his GitHub repositories?

This isn't much harder. Search for pass, and the same file gives:

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/50297f7a-4562-40fa-9157-ae705361fb75/Untitled.png

CyberChef can handle the rest.

PicassoBaguette99

3: File -> Github.txt: What cryptocurrency mining tool did the insider use?