L’espion CTF Writeup

Ali Alaa
5 min readJun 10, 2023

Hello dudes,
I hope to find you well.

This is Ali Alaa and this is L’espion writeup for CyberDefenders platform’s challenge.

This is a Threat Intel challenge and if you wanna find more about this topic you can try L’espion challenge.

So, lets start….

After I downloaded challenge’s zip file and extracted files , it contains 1 txt file and 2 photos. After opened txt file it contains github profile url =>
https://github.com/EMarseille99.

First Question: What is the API key the insider added to his GitHub repositories?

After browsed profile’s repositories I found all were forked from another repos and only one was created by user so, it may be the suspect repo.

Its name “Project-Build — -Custom-Login-Page” and contains 2 files
1- Login Page.js
2- fsociety.js

Github repo

Lets open these files in order,
I opened “Login Page.js” I found first line contains the API key

Login Page.js

Here we go, the answer is : aJFRaLHjMXvYZgLPwiJkroYLGRkNBW

Second Question: What is the plaintext password the insider added to his GitHub repositories?

JS file created for login page so, it may contains username and password.
I searched in file to found and creds used to login so, I found that file has username : EMarseille99 and password: UGljYXNzb0JhZ3VldHRlOTk= but it encrypted (base64).

Decode hash

I copied base64 hash and decoded it use base64decode.
After decoded hash I got this password : PicassoBaguette99

Here we go, the answer is : PicassoBaguette99

Third Question: What cryptocurrency mining tool did the insider use?

Here I found this repo is suspected one form its description there are clues like CryptoNight and Argon2 CPU/GPU miner.

xmrig repo

After browsed it Here what I found

README.md

It’s a 100% clue that it’s a crypto mining tool.

Here we go, the answer is : XMRig

Forth Question: What university did the insider go to?

Here I didn’t have any other info related to insider except github profile so, lets search for the main username.

A lot of users frequently used same username on other platforms.

After I searched for this username “emarseille99” I found Linkedin profile, lets navigate it..

Linkedin profile

Here we go, the answer is : Sorbonne

Fifth Question: What gaming website the insider had an account on?

I did search for username “emarseille99” before and I found also a Instagram profile,
lets navigate it..

I found a Qrcode photo with description “Add me for some games ;)

Qrcode post

so, lets scan this Qrcode ..
Url profile : https://qrgo.page.link/4k9hH

After open it in browser

Steam profile

Here we go, the answer is : Steam

Sixth Question: What is the link to the insider Instagram profile?

I got this url profile from previous search.

Google result

Here we go, the answer is : https://www.instagram.com/emarseille99/

Seventh Question: Where did the insider go on the holiday? (Country only)

I found a photo from this country with description “Once in a lifetime holiday here, love me some slings x”.

This is a country where insider go there for holiday…

Country landmark post

I used google lens service to search for this landmark and I found

Google lens result

Here we go, the answer is : Singapore

Eighth Question: Where is the insider’s family live? (City only)

From Instagram profile I found 2 photos first one with description “Nice to meet friends & family Photo 1/2” which contains villa with UAE flage and second one for burj khalifa which I know it’s in Dubai.

Dubai’s villas

Here we go, the answer is : Dubai

Ninth Question: You have been provided with a picture of the building in which the company has an office. Which city is the company located in?

I used google lens service to search for this landmark and I found

Result

I saw that 2 landmarks are matching and from this post with highlight it tells me that this landmark is in “Birmingham”.

Here we go, the answer is : Birmingham

Tenth Questions: With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest’s suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and has landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?

I used google lens service to search for this landmark and I found it belongs to University of Notre Dame so, I searched to know where this university located in which state ?

State

Here we go, the answer is : Indiana

At the end ,
I hope you enjoyed this writeup ❤️.

Stay in touch

LinkedIn

--

--