Lespion Lab β Threat Intelligence Investigation Report
Investigate an insider threat by analyzing GitHub repositories for exposed credentials, using OSINT tools to correlate online accounts, and performing image analysis to identify locations.
Lespion Lab
Lab: https://cyberdefenders.org/blueteam-ctf-challenges/lespion/
Case Overview
In this lab, you will take the role of a Threat Intelligence Analyst or Digital Forensics Investigator tasked with investigating a security incident within a company whose network was compromised and taken offline.
Initial investigations revealed that the attack was carried out through a single user account inside the organization, which indicates a potential Insider Threat.
The goal of this investigation is to:
Identify the insider responsible for the attack
Analyze their digital activity
Link different online accounts belonging to the suspect
Identify geographic locations related to the investigation
The investigation will rely on OSINT (Open Source Intelligence) techniques using tools such as:
Google Image Search
Google Maps
Sherlock (in this investigation, I relied mainly on Google searches)
Step 1 β Finding the Exposed API Key
Question
What API key did the insider add to his GitHub repositories?
The investigation started by analyzing the user's GitHub repositories.
GitHub Profile: https://github.com/EMarseille99
Several repositories were found.
To check if any API keys were exposed, I used GitHub search with the following query:
owner:EMarseille99 EMarseille99 API Key
The key was found inside the file:
Project-Build---Custom-Login-Page/Login Page.js
Code snippet:
API Key = aJFRaLHjMXvYZgLPwiJkroYLGRkNBW
Answer:
aJFRaLHjMXvYZgLPwiJkroYLGRkNBW
Step 2 β Discovering the Exposed Password
Question
What plaintext password did the insider add to his GitHub repositories?
I searched the repositories again using:
owner:EMarseille99 EMarseille99 password
The following code snippet was discovered:
<div class="wrap-input100 validate-input">
Username: EMarseille99
</div>
<div class="wrap-input100 validate-input">
Password: UGljYXNzb0JhZ3VldHRlOTk=
Password(base64)
</div>
The password appears to be encoded using Base64:
UGljYXNzb0JhZ3VldHRlOTk=
To decode it, I used CyberChef.
After decoding, the plaintext password is:
PicassoBaguette99
Answer:
PicassoBaguette99
Step 3 β Cryptocurrency Mining Tool
Question
What cryptocurrency mining tool did the insider use?
To be honest, I am not deeply familiar with cryptocurrency mining tools. However, by reviewing the repositories in the user's GitHub profile, I found a repository named:
xmrig
This is a well-known cryptocurrency mining tool.
Answer: XMRig
Step 4 β Gaming Platform Account
Question
On which gaming website did the insider have an account?
Using Google search:
"gaming website" EMarseille99
gaming EMarseille99
I discovered the following profile: https://steamcommunity.com/id/emarseille99/
Platform: Steam
Answer: Steam
Step 5 β Instagram Profile
Question
What is the link to the insider Instagram profile?
Instagram profile EMarseille99
By searching for the username, the following account was found:
https://www.instagram.com/emarseille99/
Platform: Instagram
Answer : https://www.instagram.com/emarseille99/
However, let me be honest for a moment.
If someone is using the same profile picture across multiple accounts, why not use Reverse Image Search?
I went to : https://images.google.com/
Then searched using the same image, which revealed multiple accounts linked to the same person.
Step 6 β Holiday Location
Question
Which country did the insider visit on her holiday?
After analyzing the images posted on the Instagram account and performing Google Reverse Image Search, the location appeared to be: Singapore
A small tip
If you rely entirely on AI tools for investigations, you might easily get lost.
It is always better to:
Think first
Investigate manually
Ask AI only when you get stuck
Do not rely on it completely.
Step 7 β Insider Family Location
Question
Which city does the insider family live in?
One of the images appeared to contain useful information.
I downloaded the image directly from the browser using the following method:
Open the image on Instagram
Press F12
Select Inspect
Search for .jpg
Copy the image URL
Then download it:
curl -L "IMAGE_URL" -o image.jpg
After analyzing the image, I noticed the flag of the United Arab Emirates.
Therefore, the answer is: Dubai
Important note
Instagram removes most metadata from uploaded images, including:
GPS location
Camera model
Date taken
Therefore, even if you use a tool such as:
exiftool image.jpg
You will most likely not find useful location information.
Step 8 β Company Office Location
Question
File -> office.jpg
Which city is the company located in?
Using: https://images.google.com
I performed a Reverse Image Search on the image.
The result indicated the location: Birmingham
Step 9 β IP Camera Location
Question
Which state is this camera in?
The camera image was analyzed using:
Google Images :
or
The results indicated the location: Indiana
Conclusion
This lab demonstrates how OSINT techniques can be used to analyze a person's online presence and connect multiple accounts and activities together.
During the investigation, we discovered:
An exposed API Key on GitHub
A Base64βencoded password
A Steam account
An Instagram account
The insider's holiday location
The family location
The company office location
The IP camera location
All of this information was gathered using only open-source intelligence from the internet.
Here we have reached the correct conclusion in the endΒ .
Here we are done, see you in other reportsβ¦!
See you later, bro
