0%

The Insider Threat CTF (1)

May 3, 2023 - CTF
Back

Welcome to The Insider Threat. An OSINT CTF to gather intelligence on a missing person that carried out a cyberattack on the organisation they were working at.

This CTF has been provided by bushidotoken.net and is based on real life investigations.

The back story is that we have been tasked by a client whose network has been compromised and taken offline. Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show how the attack was orchestrated from one user account at the company, meaning this was an insider threat.

The client has alerted the authorities, which are currently too busy to help at this time. The client has come to us asking for help to find the malicious employee who has since disappeared.

 

As a starting point we have been supplied with the employees GitHub account https://github.com/EMarseille99 and need to find out as much as we can from this information.

 

Task 1

Find out more information about the person of interests GitHub account.

 

[Question?] What is their API key?

This one’s pretty simple. Connecting to, and reading through some of the early code that user EMarseille99 has committed to their GitHub will provide us with this answer.

Click here for the answer
Connect to https://github.com/EMarseille99 and change the year of contribution activity to 2020. Here you will see their first repository which was created on May 23, 2020.

If you click on the project link Project-Build—Custom-Login-Page and then open the Login Page.js file you will identify the API on line 1 in the JS code.

 

The answer to this question is API Key = aJFRaLHjMXvYZgLPwiJkroYLGRkNBW

 

[Question?] What is their real name, job role, company and university?

A quick glance over the users GitHub profile shows a company name and a generic location of EU (European Union). I did some initial searching on Linkedin as this is the type of information provided there, but I had issues filtering my requirements by location and company name to get actionable results.

In the end I still focused on Linkedin, but this time carried out my search filtering direct through Google Dorks.

Click here for the answer
From Google I searched for the following inurl:linkedin.com EMarseille99

This time I get some focussed results from fr.linkedin.com which points to Émilie Marseille – Back End Developer – Self Employed so I think we’re on the right track.

From this we have indicators that this is a good match. We have matches with the profile image, the name compared to the GitHub account name, She’s obviously in the EU and her title is a Back End Developer.

I think based on the information obtained from the Linkedin profile, correlated with her Github account, we can answer the questions as follows.

Full name = Émilie Marseille

Job role = Back End Developer

Company = Currently self employed, but as per her GitHub and Linkedin comments it was Software Consultants Inc

University = Sorbonne Université

 

[Question?] What is their username and plaintext password?

Again, by reviewing the code in Login Page.js we can abstract useful information to answer this question.

Click here for the answer
On line 46 of the JS code, the username is displayed in clear text.

So the username is EMarseille99

For the password, we can see this defined on line 58 as UGljYXNzb0JhZ3VldHRlOTk= and for those who are unsure, the next line also clarifies that this is actually encoded using base64. There are a number of ways we can decode this to the plaintext password. We can use an online tool such as CyberChef, or we can even do this from the command line in a terminal.

For CyberChef, go to https://gchq.github.io/CyberChef/ and use the recipe “From base64. Add the base64 string as the input and our decoded text will appear in the output.

We can also do this from the command line (I’m on Mac OS) by typing > echo ‘UGljYXNzb0JhZ3VldHRlOTk=’ | base64 -D and this will also return the decoded text on the next line.

So the plaintext password and answer to this second part of this question is PicassoBaguette99

 

Task 2

Looking at their GitHub account, what hacking tools did the person of interest use on company PCs?

 

Before starting this question, it’s good to just review and get familiar with the repositories and tools that Emilie  has forked. While these aren’t proof that these tools were used by her as part of the incident being investigated, we can make assumptions that each of these tools served a purposed in part of this fictitious CTF.

 

(Some of) The Tools:

 

QuasarRAT
Quasar is a fast and light-weight remote administration tool (RAT) coded in C#. Quasar can be used to access Task Manager, Registry Editor, manage files and startup items, download/upload and execute files, access system information, run various computer commands, log keystrokes, steal passwords and access files stored on the computer.

 

Empire
Empire 3 is a post-exploitation framework that includes a pure-PowerShell 2.0 Windows agent, and compatibility with Python 3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and flexible architecture. Basically, Empire is a tool that is similar to Metasploit but specific to PowerShell. It allows you to run PowerShell scripts in memory and make a connection back to your machine.

Read more at https://www.bc-security.org/blog

 

Metasploit-framework
The Metasploit Framework is a Ruby-based, modular penetration testing platform that enables you to write, test, and execute exploit code. The Metasploit Framework contains a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade detection.

Read more at https://docs.rapid7.com

 

Meterpeter
Meterpreter is a Metasploit attack payload that provides an interactive shell to the attacker from which to explore the target machine and execute code. Meterpreter is deployed using in-memory DLL injection. As a result, Meterpreter resides entirely in memory and writes nothing to disk.

 

Mimikatz
Mimikatz is a tool made by gentilkiwi that is commonly used by hackers and security professionals to extract sensitive information, such as passwords and credentials, from a system’s memory.

Read more at http://blog.gentilkiwi.com/mimikatz

 

Hashcat
hashcat is the world’s fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.

Read more at https://hashcat.net/wiki/

 

Bloodhound
BloodHound is an Active Directory reconnaissance and attack path management tool that uses graph theory to identify hidden relationships, user permissions, sessions and attack paths in a source Windows domain.

Read more at https://bloodhound.readthedocs.io

 

Nmap
Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.

Read more at https://nmap.org

 

xmrig
XMRig High performance, open source, cross platform RandomX, CryptoNight, AstroBWT and Argon2 CPU/GPU miner, with official support for Windows.

 

[Question?] What was used for lateral movement and privilege escalation?

Click here for the answer
This would have to be a combination of Metasploit-framework and Meterpeter or Empire
Mimikatz could have also been used to obtain additional accounts and passwords to aide in privilege escalation

 

[Question?] What was used for remote control?

Click here for the answer
This one has to be the Remote Access Tool (RAT) called QuasarRAT

 

[Question?] What was used for reconnaissance? 

Click here for the answer
My guess for this would be a combination of BloodHound, given it’s an Active Directory reconnaissance and attack path management tool and Nmap which can perform host discovery and identify open ports and services.

 

[Question?] What was used for cryptocurrency mining? 

Click here for the answer
Definitely has to be xmrig for this

 

[Question?] What was used for password cracking? 

Click here for the answer
Mimikatz would have been used for obtaining the passwords/hashes from compromised machines, but it doesn’t do the actual cracking itself. This would have been passed off to another application such as Hashcat for “recovery’

 

Task 3

Can you find Emilies other accounts online?

 

Some of these we have already come across while investigating early information. For the most part this will involve running additional searchs on the information we currently have, such as full name, company, country and even focusing on image searching to see what we can identify.

 

[Question?] Identify their account on a popular business/hiring network

Click here for the answer
So I think we’d assume a good place for this information will be Linkedin. From Google I searched for the following inurl:linkedin.com EMarseille99 and I get some focussed results from fr.linkedin.com which points to Émilie Marseille – Back End Developer – Self Employed so I think we’re on the right track.

From this we have indicators that this is a good match. We have matches with the profile image, the name compared to the GitHub account name, She’s obviously in the EU and her title is a Back End Developer.

So the answer to this will be linkedin.com/in/émilie-marseille-4b353a1aa

 

[Question?] Identify their social media account for taking photos

Another google search using only the known alias gives us immediate results to solve this question.

Click here for the answer

The very first result is linking to Instagram

Following this link, we have some good indicators that this belongs to the person of interest. The Instagram profile and answer to this question, www.instagram.com/emarseille99 shows the same user image, full name, job role and company name.

 

 

[Question?] Identify their community profile for playing PC games and what university club were they in

We can stick with Google to continue our search, or we can try something different. We can also search a number of online platforms by username using something like https://blackbird-osint.herokuapp.com/

Click here for the answer
By searching for EMarseille99 we get a number of positive responses and if we are focused on identifying gaming sites, we can see an account for EMarseille99 exists on Steam.

Clicking on the hyperlink for this result, we can deduce that the steam account https://steamcommunity.com/id/EMarseille99/ does in fact belong to Emilie.

 

Pivoting back to Emilies Linked in account, we can see eSports listed as an activity and society from Sorbonne Université.

 

We could have also arrived at this conclusion through other means, which was through a post on her Instagram account when we reviewed it in an earlier question. Reviewing her posts in there, you will see a photo containing a QR code and the comment “Add me for some games ;)”.

Following the URL from the QR code will redirect you to Emilies Steam profile https://steamcommunity.com/id/emarseille99/

 

Task 4

Using Emilies social media, find out the following..

 

[Question?] Where did she go on holiday

Looking at Emilies Instagram account, we can see a photo with a comment from Emily that says “Once in a lifetime holiday here, love me some slings x”. I’m not familiar with the building below, but as soon as she said “slings” I think of the alcoholic drink, Singapore Slings.. lets see

 

Click here for the answer
Instagrams a bit of a pain, so I inspected the source, found the image and opened https://scontent-syd2-1.cdninstagram.com in a new tab. A reverse image search gave me the answer I was looking for.

It would seem that Emilie was on holiday in Singapore and this particular photo was taken by the Marina bay Sands – https://www.marinabaysands.com/hotel.html

 

 

[Question?] Which city does she live in

We have some initial clues from the start of this challenge which showed her location on Linkedin as Île-de-France, France, but lets try to confirm this.

Reviewing Emilies Instagram account she has posted a picture of a location with the comment “Love working in this beautiful city x”. So lets see if we can confirm where this may be from the photo below.

 

Click here for the answer
A reverse image search gives us a number of similar images of buildings next to the Seine river in Paris. And cross referencing these, it looks like we are looking back towards the Notre Dame cathedral. We can confirm this to 100% certainty on Google Maps street view at https://www.google.com/maps/@48.8519859,2.3535824

I was initially a bit thrown as Linkedin shows Île-de-France yet we know this photo is in Paris but agian, a quick Google and education explains that The Île-de-France is literally “Isle of France” and is the most populous of the eighteen regions of France, with an official estimated population of 12,271,794 residents on 1 January 2023. Centred on the capital Paris, it is located in the north-central part of the country and often called the Paris Region.

So there you have it. Emilie lives in Paris.

 

[Question?] Where is her family based (country)

Again, referring back to Emilies’ Instagram profile, we can see two photos that are referred to as being with friends and family.

Since we’re not trying to find the exact address, but only the country of residence, we can obtain this quite easily.

 

Click here for the answer
From the first photo we see a very unique building, which a reverse search identifies as the Burj Khalifa skyscraper and this would place us in Dubai, United Arab Emirates.

One of the first unique identifying features in the second photo is a flag.. but what flag? We can do this a few ways if you’re unsure.

We can compare the colours and layout to other flags, or use an online identifier like https://flagid.org

This lets us input the colours and then provides possible matches as seen below.

We can also do a reverse image search and isolate the area of the flag to achieve a similar result. In both methods we see that the flag colours and layout matches Al-Imārāt al-Arabiyyah al-Muttaidah • United Arab Emirates (formerly Trucial Coast • Trucial Oman or Trucial Sheikdoms).

 

 

Task 5

Find the location of Emilies company.

 

So we have have been provided with the following image of a building in which the company Emilies  works for has an office.

 

[Question?] Which city is the company located

We have a few areas of interest that can aide with our research. We have a unique street sign with a number of landmarks listed in English, we have a very distinct silver building in the background, which for the purpose of this CTF i’ll assume is the building of interest. There’s a large pedestrian only area and in the background we see signs for “Grand Central” which is maybe a transport hub of some sorts. And we also have a brick looking building with “ODEON” on it, which could be a cinema or similar.

So lets start with an easy method and reverse image search to see what comes up.

 

Click here for the answer
Too easy. Immediately we get 100% hits on the image search which places this location in Birmingham which is located in the West Midlands region of England, approximately 100 miles (160 km) from London.

We could have also figured this out buy looking at the landmarks on the street sign. The one pointing left clearly displays Hippodrome Theatre,  Alexandra Theatre and Chinese Quarter. You can select this text directly from Google image search, or manually search in. But in either case, but searching for these three landmarks together with give you all the information to identify this city.

 

 

 

Task 6

Emilie has left the country, but where is she now?

 

Emilie has been observed leaving her apartment and going to the airport. From there she has boarded a flight to another country, but where?  our intelligence team has spotted Emilie through a remote IP camera and provided us with the following image. Can we identify which state and country the camera (and Emilie) is in?

 

[Question?] Which state and country is this camera in

We have a couple of things we can focus on in the image. First we have the distinct park layout and the unique architecture. But more importantly we can see that the image has been taken by something called EarthCam and possibly that camera is labeled as “A View from the Dome”. All excellent information points to work on.

EarthCam is a webcam Network of live streaming webcams for tourism and entertainment. Searching for the term “Dome” on their website returns 15 camera which at first glance don’t match our image. However the images from the cameras based in Germany have very similar architecture and could be worth a further look.

So, my first issue is timing. As I try to check any of these cameras i’m presented with pure darkness as the current time in Europe is around 1:00AM.

So rather than view live webcams, I’m now going to search Google Images for static webcam photos. Using the term “earthcam germany dome“. I get a number of results back, but I see two that catch my eye immediately.

It’s worth noting, and always good practice to try various search terms. In this case I would have got better results by searching for webcam “a view from the dome”.

 

Click here for the answer
Two of the images identify this location as the Live Webcam, and guess what – It’s not even in Europe! To view the live stream and read more about this camera and location, visit https://dome.nd.edu/

So where did we find Emilie? Not in France or Germany. Not even in Europe. The answer to this final question is Indiana, United States of America

 

Time for a slice of accomplishment. Until next time.

pizza party time

 

 

 

 

 

 

 

Tagged as:  /  / 

Play Cover Track Title
Track Authors