Lab: https://cyberdefenders.org/blueteam-ctf-challenges/lespion/

Case Overview

In this lab, you will take the role of a Threat Intelligence Analyst or Digital Forensics Investigator tasked with investigating a security incident within a company whose network was compromised and taken offline.

Initial investigations revealed that the attack was carried out through a single user account inside the organization, which indicates a potential Insider Threat.

The goal of this investigation is to:

• Identify the insider responsible for the attack

• Analyze their digital activity

• Link different online accounts belonging to the suspect

• Identify geographic locations related to the investigation

The investigation will rely on OSINT (Open Source Intelligence) techniques using tools such as:

• Google Image Search

• Google Maps

• Sherlock (in this investigation, I relied mainly on Google searches)

Step 1 – Finding the Exposed API Key

Question

What API key did the insider add to his GitHub repositories?

The investigation started by analyzing the user's GitHub repositories.

GitHub Profile: https://github.com/EMarseille99

Several repositories were found.

To check if any API keys were exposed, I used GitHub search with the following query:

owner:EMarseille99 EMarseille99 API Key

The key was found inside the file:

Project-Build---Custom-Login-Page/Login Page.js

Code snippet:

API Key = aJFRaLHjMXvYZgLPwiJkroYLGRkNBW

Answer:

aJFRaLHjMXvYZgLPwiJkroYLGRkNBW

Step 2 – Discovering the Exposed Password

Question

What plaintext password did the insider add to his GitHub repositories?

I searched the repositories again using:

owner:EMarseille99 EMarseille99 password

The following code snippet was discovered:

<div class="wrap-input100 validate-input">
Username: EMarseille99
</div>

<div class="wrap-input100 validate-input">
Password: UGljYXNzb0JhZ3VldHRlOTk=
Password(base64)
</div>

The password appears to be encoded using Base64:

UGljYXNzb0JhZ3VldHRlOTk=

To decode it, I used CyberChef.

After decoding, the plaintext password is:

PicassoBaguette99

Answer:

PicassoBaguette99

Step 3 – Cryptocurrency Mining Tool

Question

What cryptocurrency mining tool did the insider use?

To be honest, I am not deeply familiar with cryptocurrency mining tools. However, by reviewing the repositories in the user's GitHub profile, I found a repository named:

xmrig

This is a well-known cryptocurrency mining tool.

Answer: XMRig

Step 4 – Gaming Platform Account

Question

On which gaming website did the insider have an account?

Using Google search:

"gaming website" EMarseille99

gaming EMarseille99

I discovered the following profile: https://steamcommunity.com/id/emarseille99/

Platform: Steam

Answer: Steam

Step 5 – Instagram Profile

Question

What is the link to the insider Instagram profile?

Instagram profile EMarseille99

By searching for the username, the following account was found:

https://www.instagram.com/emarseille99/

Platform: Instagram

Answer : https://www.instagram.com/emarseille99/

However, let me be honest for a moment.

If someone is using the same profile picture across multiple accounts, why not use Reverse Image Search?

I went to : https://images.google.com/

Then searched using the same image, which revealed multiple accounts linked to the same person.

Step 6 – Holiday Location

Question

Which country did the insider visit on her holiday?

After analyzing the images posted on the Instagram account and performing Google Reverse Image Search, the location appeared to be: Singapore

A small tip

If you rely entirely on AI tools for investigations, you might easily get lost.

It is always better to:

• Think first

• Investigate manually

• Ask AI only when you get stuck

Do not rely on it completely.

Step 7 – Insider Family Location

Question

Which city does the insider family live in?

One of the images appeared to contain useful information.

I downloaded the image directly from the browser using the following method:

1. Open the image on Instagram

2. Press F12

3. Select Inspect

4. Search for .jpg

5. Copy the image URL

Then download it:

curl -L "IMAGE_URL" -o image.jpg

After analyzing the image, I noticed the flag of the United Arab Emirates.

Therefore, the answer is: Dubai

Important note

Instagram removes most metadata from uploaded images, including:

• GPS location

• Camera model

• Date taken

Therefore, even if you use a tool such as:

exiftool image.jpg

You will most likely not find useful location information.

Step 8 – Company Office Location

Question

File -> office.jpg

Which city is the company located in?

Using: https://images.google.com

I performed a Reverse Image Search on the image.

The result indicated the location: Birmingham

Step 9 – IP Camera Location

Question

Which state is this camera in?

The camera image was analyzed using:

• Google Images :

• 

• or

• https://yandex.com/images :

• 

The results indicated the location: Indiana

Conclusion

This lab demonstrates how OSINT techniques can be used to analyze a person's online presence and connect multiple accounts and activities together.

During the investigation, we discovered:

• An exposed API Key on GitHub

• A Base64‑encoded password

• A Steam account

• An Instagram account

• The insider's holiday location

• The family location

• The company office location

• The IP camera location

All of this information was gathered using only open-source intelligence from the internet.

Here we have reached the correct conclusion in the end .

Here we are done, see you in other reports…!

See you later, bro

In the world of virtualization and system administration, RAM (Random Access Memory) is the most valuable currency. But what happens when this currency runs out while running heavy labs or multiple virtual machines (VMs) simultaneously?

This is where the unsung hero comes in: Swap in Linux and Pagefile in Windows.

These technologies are part of Virtual Memory, which is not just extra space—it’s the last line of defense that protects your host machine and VMs from sudden crashes. In this article, we’ll dive deep to understand how Swap and Pagefile work, when they kick in to save the day, and how to balance performance and stability to keep your “tech lab” running smoothly without bottlenecks.

2️⃣ What Are Swap & Pagefile?

Simply put, Swap and Pagefile are reserved spaces on your hard drive (HDD or SSD) that the operating system uses as additional RAM when physical memory runs low.

How Do They Work?

When RAM usage is high, the system moves inactive data from RAM to Swap/Pagefile to free up space for active processes.

Practical analogy:
RAM = your desk for working
Swap/Pagefile = desk drawer for storing papers you aren’t currently using
When needed, the paper is brought back to the desk so work continues smoothly.

3️⃣ When Does Swap/Pagefile Activate?

1️⃣ Memory Pressure

The system looks for “cold data” and moves it to Swap to free up RAM for hot (active) processes.

2️⃣ Swappiness in Linux

• 0–20: Use RAM first; Swap is the last resort

• 60–100: System uses Swap early, even before RAM is exhausted

Tip: For heavy labs, use a low value (10–20) for better performance.

3️⃣ Automatic Windows Management

Windows monitors Commit Charge and starts moving inactive data to the Pagefile even if there is still free RAM.

4️⃣ The 100% RAM Myth

The system doesn’t wait for RAM to be completely full. Swap/Pagefile may start being used earlier to prevent sudden system shocks.

4️⃣ Effects of Modifying Swap/Pagefile

On the Host

On the VMs

5️⃣ Best Practices

🐧 Linux

• Swap Size:

  • RAM < 16GB → Swap = RAM

  • RAM ≥ 32GB → Swap ≈ 0.5 × RAM

• Swappiness: Prefer 10–20 for heavy labs

• Monitoring: htop or free -h

🪟 Windows

• Initial size: 25–50% of RAM

• Maximum size: 1.5 × RAM

• Tip: Place the Pagefile on a fast SSD to reduce latency

6️⃣ Practical Setup

🪟 Windows

1. Windows + R → sysdm.cpl → Advanced → Performance → Settings → Advanced → Virtual Memory → Change
2. Disable "Automatically manage paging file size for all drives"
3. Custom Size: Initial = 0.5 × RAM, Maximum = 1.5 × RAM → Set → OK
4. Restart to apply changes

Tip: For heavy labs like SIEM/ELK, place the Pagefile on a fast SSD and keep the maximum size at least 16GB.

🐧 Linux (Debian)

# Temporarily disable Swap
sudo swapoff /swap.img

# Expand size to 16GB
sudo fallocate -l 16G /swap.img

# Set permissions
sudo chmod 600 /swap.img

# Reinitialize Swap
sudo mkswap /swap.img

# Enable Swap
sudo swapon /swap.img

# Verify
free -h

• Temporarily adjust Swappiness: sudo sysctl vm.swappiness=10

• Permanent adjustment: add vm.swappiness=10 to /etc/sysctl.conf

7️⃣ Monitoring

8️⃣ Conclusion

• Irreplaceable protection: Swap and Pagefile are the safety valves for the host and VMs.

• Balance is key: Enough emergency space with smart settings like Swappiness = 20.

• Continuous monitoring: Track Commit Charge or Swapon during heavy lab workloads.

• Fast storage: Place virtual memory on SSD/NVMe to avoid slow performance.

Practical takeaway: Virtual memory may not be used every day, but it can be the difference between completing your lab successfully or experiencing a system crash and data loss.

This training program is designed to build a complete, fully functional security operations center (SOC) environment from scratch. We will install and configure a Security Information and Event Management (SIEM) system (ELK Stack) and integrate it with a Security Orchestration, Automation, and Response (SOAR) platform (n8n). We will also use Winlogbeat and Fluent Bit to collect and transform event logs from various devices and send them to the SIEM platform for analysis.

Pre-Lab Overview

Some of the initial labs in Detection Engineering :

DETECTION EGNINEERING - Intro

Netowork Security Labs And CTF :

Labs :

• Detect NMAP Scan Using Snort

• A Mock Lab on Ubuntu to Practice Setting Up a Web Server + WAF (Nginx + ModSecurity)

CTFs:

• Psexec-Hunt Pcapng

• Suspicious File Download (Fake Google Authenticator)

• Examining PCAPs and Emails to Identify Malware Infection

• HawkEye Blue Team Challenge

• ARP Storm : CyberTalents

Linux Labs Ans CTFs:

• OverTheWire : Bandit Level 0 ToBandit Level 10

• Bandit Level 10 To Level 20

• Bandit Level 20 To Level 23

• Leviathan (Linux)

• Leviathan : level 0

• Leviathan Level 0 → Level 1

Windows Server Labs And Review :

Login Protocols(NTLM vs Kerberos)

• THM AD :

  • Active Directory Basics

  • 1.Windows Fundamentals 1

  • 2.Windows Fundamentals 2

  • 3.Windows Fundamentals 3

Soc General :

SIEM :

• Qradar101 Blue Team Challenge : CyberDefenders

• Boss of the SOC Version 1 (2015) Scenario-1

• Phishing Response Playbook

• Building a SIEM Collecting Linux and Windows Logs with Filebeat & Winlogbeat into Elasticsearch and Visualizing in Kibana

• Collecting and Visualizing SSH Logs with Fluent Bit & Elasticsearch

Phishing Labs :

• PayPal Phishing Email Investigation Lab @LetsDefend

Digital-Forensics-Labs :

Course-Based Digital Forensics Labs :

• 🔍File Analysis Using the stat Command in Linux

• 🖼️ Image Analysis Using exiftool and exif in Linux

• 📁 Analyzing File Properties in Digital Forensics – Windows Example

• 🛡️ Explaining the Use of Software Write Blocker in Digital Forensics

• 🧰 Lab: Disk Acquisition Using Linux dd Command

• 🧰 Disk Acquisition Using AccessData FTK Imager on Windows

• Verifying the integrity of digital evidence using hashing + a practical application on Windows and Linux

• Overview of Registry Hives & Extraction with FTK Imager

• 🧪 Registry Analysis using Registry Explorer, ShellBags Explorer, and RegRipper

• 🧠 Registry Analysis Guide – What to Look for at the Analysis Phase

• 🧠 Linux OS Forensics – Digital Analysis on Linux Systems

• 🦊 Firefox Artifacts Extraction

• 🛠️ Creating a New Case and Adding a Data Source in Autopsy – Step-by-Step with Full Explanation

• 🧪 Analysis of Data Source Using Autopsy – Autopsy Forensic Tool

🎯 Platform-Based Digital Forensics Labs :

🔍 Network Forensics :

• Psexec-Hunt Pcapng

• Suspicious File Download (Fake Google Authenticator)

• Examining PCAPs and Emails to Identify Malware Infection

• HawkEye Blue Team Challenge

• ARP Storm : CyberTalents

🧰 Disk Images :

• Search in Trash : CyberTalents

• NTFS1 – Evidence Acquisition & Analysis Lab (DigitalCorpora.org Disk Images)

Steganography && Audio Forensics :

• Meta : Blue Team Labs Online

• DISKO 1 : PicoCtf

• Glory of the Garden : PicoCTF

• Information : picoCTF

• RED : picoCtf

• Secret of the Polyglot : picoCtf

• Scan Surprise : picoCTF

• Verify : picoCTF

• CanYouSee : picoCTF

• WOW…. So Meta : CTFLEARN

• Taking LS : CTFLEARN

• Forensics 101 : CTFLEARN

• Exif : CTFLEARN

• Binwalk : CTFLEARN

• Rubber Duck : CTFLEARN

• Git Is Good : CTFLEARN

• Snowboard : CTFLEARN

• I’m a dump : CTFLEARN

• Minions : CTFLEARN

• PDF by fdpumyp : CTFLEARN

• Simple Steganography : CTFLEARN

• Pho Is Tasty! : CTFLEARN

• Tux! : CTFLEARN

• Chalkboard : CTFLEARN

• PikesPeak : CTFLEARN

• G&P List : Cyber Talents

• Hidden Message : Cyber Talents

• Cypher Anxiety : Cyber Talents

• I love images : Cyber Talents

• File Found : Cyber Talents

Pentration Testing :

• Cybersecurity Beginner Career | Labs By CyberTalents

Information Gathering and Scanning :

• Passive Reconnaissance : TRY HACK MY

• Active Reconnaissance : Try Hack Me

WEB :

• IDOR : Corridor : Try Hack Me

• Natas : OverTheWire :

  • Natas : Level 0 :

  • Natas : Level 1

  • Natas : Level 2..“)

  • Natas : Level 3..“)

• Information Disclosure :

  • Information disclosure in error messages

  • Information disclosure on debug page

  • Source code disclosure via backup files

  • Information disclosure in version control history

  • Authentication bypass via information disclosure

• Access control :

  • User ID controlled by request parameter, with…

  • User ID controlled by request parameter

  • User role can be modified in user profile

  • User role controlled by request parameter

  • Unprotected admin functionality with unpredictable…

  • Unprotected admin functionality

Machine :

• Metasploitable-1

• Metasploitable-2

• Kioptrix Level-1

Malware Analysis :

• Persistence Analysis and Remediation of Python Pop-Up Malware

You Can Try : https://cyberdefenders.org/blueteam-ctf-challenges/psexec-hunt/

Identification

• Incident Title : PsExec Hunt Lab

• Date/Reported : 03-09-2025

• Reported by  : Task Trainee WE INNOVATE

• Description  : - During my training at WE INNOVATE, I was assigned a forensic analysis task involving the file psexec-hunt.pcapng. An alert generated by the Intrusion Detection System (IDS) flagged suspicious lateral movement activity associated with the use of PsExec. This suggested potential unauthorized access across multiple hosts within the network.

• Investigator : Abdelwahab Ahmed Shandy

Acquisition

• Evidence Collected: Packet Capture File (psexec-hunt.pcapng)

• Tool Used: Wireshark

Preservation

• I made a copy of the original file to maintain integrity :

sansforensics@as: ~/Downloads
$ cp psexec-hunt.pcapng Task-Day2.pcapng
sansforensics@as: ~/Downloads
$ md5sum psexec-hunt.pcapng 
3b009a00b288eb0558f8e91879aeb4f6  psexec-hunt.pcapng
sansforensics@as: ~/Downloads
$ md5sum Task-Day2.pcapng 
3b009a00b288eb0558f8e91879aeb4f6  Task-Day2.pcapng

• Hash (MD5): 3b009a00b288eb0558f8e91879aeb4f6

• Preservation: A verified copy of the original PCAP file was maintained to ensure forensic integrity.

Analysis :

• Simply put, we're required to check if an attack occurred using a tool called PsExec.

• First, we need to understand what PsExec is:

  • PsExec is a tool from the Sysinternals suite (owned by Microsoft).

  • Its function: It allows you to run commands or programs remotely on other devices on the network without opening an RDP session or logging into the device directly.

The first thing we can start with when we do an analysis in Wireshark :

1️⃣ Statistics > Protocol Hierarchy

• Here, you'll see all the protocols present in the PCAP and the percentage of each.

• Reason: To see if there are any abnormal protocols or a high percentage of a specific protocol (such as SMB) - this could indicate that the attack was carried out through it

  

• 2️⃣ Statistics > Conversations

• Here, you'll see the conversations (connections) between devices: who talked to whom, the size of the data, and the number of packets.

• Reason: To help you identify which two devices are showing suspicious activity (such as an attacker communicating with multiple devices via SMB).

• 

3️⃣ Statistics > Endpoints

• Here, you'll see all the devices (IP addresses or MACs) that appeared in the capture.

• Reason: To identify the primary devices in the attack - the device that initiated the communication (the attacker) and the affected devices (the victims).

• 

• The highest traffic is on IP: 10.0.0.130 and it may be the device that was initially hacked by the attacker , But I want to make sure or why it is really him ؟

First : To effectively trace the attacker's activities within our network, can you identify the IP address of the machine from which the attacker initially gained access?

Can I ask a few questions:

• Who initiated the communications? (Initiation) :

  • tcp.flags.syn == 1 && tcp.flags.ack == 0 && (ip.src == 10.0.0.130)

  • 

  • The filter shows you all the connections that the device 10.0.0.130 initiated (sent a SYN the first time to open a connection), and this is so that: you can prove that 10.0.0.130 is the attacker → because it is the one that initiates SMB sessions with the other devices (10.0.0.133, 10.0.0.131).

1) can you identify the IP address of the machine from which the attacker initially gained access?

• 10.0.0.130

📝 Why is 10.0.0.130 the attacker (the point from which the intrusion began)? Conversations : -The largest connection was between 10.0.0.130 ↔ 10.0.0.133 (over 38,000 packets) , The next connection was with 10.0.0.131. -This means that 10.0.0.130 is communicating with the other devices. Endpoints : -The highest traffic volume was at 10.0.0.130 → This indicates that it is the active device (performing operations on more than one target). -TCP SYN Filter : -Using the filter: tcp.flags.syn == 1 && tcp.flags.ack == 0 && ip.src == 10.0.0.130 -We find that 130 is the one initiating connections to other devices → evidence that it is the attacker, not the victim.

Second : To fully understand the extent of the breach, can you determine the machine's hostname to which the attacker first pivoted? :

• 📝 From the analysis:

  • We saw that the attacker 10.0.0.130 first contacted device 10.0.0.133 (this was the first victim it moved to).

    

• tcp.flags.syn == 1 => This means the packet contains the SYN flag (the first step in the TCP connection establishment process – the Handshake).

• tcp.flags.ack == 0 => This means that this packet does not contain an ACK, and therefore, it is only the SYN that initiates the session.

• ip.src == 10.0.0.130 => This packet originates from device 10.0.0.130.

• Now we need to find out the hostname of device 10.0.0.133 :

  • The first IP was 10.0.0.133 :

  • I can get hostname :

    • i used filter : ip.addr== 10.0.0.133 || nbns || dns , Nothing important appeared

    • i used filter : (ip.src == 10.0.0.130) && ntlmssp :

    • 

NTLM Security Support Provider (NTLMSP) :It is part of the NTLM Authentication protocol.

It is used in the negotiation and authentication process between the client and the server.

You can think of it as the messages or packets that transmit the authentication steps.

📌 The relationship between SMB and NTLMSSP:

• SMB (Server Message Block) is the protocol that allows file, printer, and IPC sharing between devices.

• When an attacker uses a tool like PsExec or attempts to make a lateral move, they need to authenticate to access Admin\( or IPC\).

• Then, the hostname of the device the attacker has moved to will be displayed.

  

  In SMB2 → Session Setup Response, we found NTLMSSP_CHALLENGE :

  

• This is the hostname of the device the attacker attempted to pivot on.

2) can you determine the machine's hostname to which the attacker first pivoted?

• Sales-PC

Third : Knowing the username of the account the attacker used for authentication will give us insights into the extent of the breach. What is the username utilized by the attacker for authentication?

The username appears in the NTLMSSP_AUTHENTICATE phase of the SMB Session Setup.

That is, after (10.0.0.133 = SALES-PC) responds with the NTLMSSP_CHALLENGE message, the attacking machine (10.0.0.130) sends the NTLMSSP_AUTHENTICATE message.

The attacker's goal was to gain higher powers, and this is what he actually obtained :

• 

• Its presence with the target hostname (SALES-PC) confirms that it is Local Admin.

• Also, the PsExec tool only runs with Admin rights.

3) What is the username utilized by the attacker for authentication?

• ssales

Fourth: After figuring out how the attacker moved within our network, we need to know what they did on the target machine. What's the name of the service executable the attacker set up on the target? :

I Can Get This : File > Export Object > SMB

Or Filter on SMB Trafiic with Executable Files :

Role on Packets on type :

SMB2 CREATE Request
SMB2 WRITE Request
SMB2 CLOSE Request

4) After figuring out how the attacker moved within our network, we need to know what they did on the target machine. What's the name of the service executable the attacker set up on the target?

• psexesvc

Fifth : We need to know how the attacker installed the service on the compromised machine to understand the attacker's lateral movement tactics. This can help identify other affected systems. Which network share was used by PsExec to install the service on the target machine?

• Before we answer a question like this, we need to understand:

The $ in the name means that the share is hidden, it will not be visible to the regular user when browsing the network, but it is available to administrators (Admins).

• i use filter : smb2.tree

  

\10.0.0.133\IPC\( appears = Initial connection + authentication phase. \10.0.0.133\ADMIN\) appears = Actual service cloning and installation phase

5)Which network share was used by PsExec to install the service on the target machine ?

• ADMIN$

Sixth: 6) We must identify the network share used to communicate between the two machines. Which network share did PsExec use for communication?

• If we look at the SMB traffic after activating the service, you will find connections such as:

• 

• PsExec used the IPC$ share to communicate between the attacker machine (10.0.0.130) and the target machine (10.0.0.133).

• In the PCAP, we saw:

  • Frame 134 → Tree Connect Request \10.0.0.133\IPC$

  • Frame 135 → Tree Connect Response (the server accepted the connection).

  • => This proves that the attacker opened a communication channel on the IPC$ share.

6) We must identify the network share used to communicate between the two machines. Which network share did PsExec use for communication?

• IPC$

Seventh: Now that we have a clearer picture of the attacker's activities on the compromised machine, it's important to identify any further lateral movement. What is the hostname of the second machine the attacker targeted to pivot within our network?

i can open in tap : Statistics > Endpoints

• Actually we can doubt 10.0.0.131 or 10.0.0.132

• In PCAP (Wireshark), review SMB traffic:

  • If you find a Tree Connect Request (in the SMB protocol),

  • you will find that PsExec is likely using ADMIN$ to download the PSEXESVC.exe file to the victim's machine and run it.

• Actually, let what happened in this device :

  

• We want to get the hostname , using filter : smb2 || ntlmssp && (ip.addr == 10.0.0.131)

  

🔎 Why does this point to the second hostname?

• The IP address 10.0.0.131 is the new device the attacker is trying to pivot to from 10.0.0.130.

• If you open the SMB2 Session Setup Response or NTLMSSP_CHALLENGE in the same packet or the next one, you will find:

• Target Name = MARKETING-PC

• Or in the Target Info section under NTLM challenge.

Now that we have a clearer picture of the attacker's activities on the compromised machine, it's important to identify any further lateral movement. What is the hostname of the second machine the attacker targeted to pivot within our network?

• Marketing-PC

📝 Indicators of Compromise (IOCs)

✍️ Prepared by: Abdelwahab A. Shandy

📅 Date: 03-09-2025

Here we have reached the correct conclusion in the end .

Here we are done, see you in other reports…!

See you later, bro

🛠️ Prerequisites:
✅ A GitHub account

✅ A Git installation on your device

✅ An Obsidian folder (the Vault) is ready

✅I will use the simplest method, which is GitHub Desktop.

🧭 Steps in detail:

1️⃣ Create a Repository on GitHub :

• Log in to GitHub Or GitHub Desktop :

Click the New button to create a new Repo

Name it, for example: My-Study-Archive

• Make it Public or Private as you wish

• Important: Do add README or any other files

On Your Pc

2️⃣ Prepare the Obsidian folder :

• Open Obsidian :

Create a New Valut :

You will give the file a name and choose a location .

This is the final form with different names and storage location.

This is our final form you can add files and folders and do everything and I will simultaneously recite inside GitHub

Here we are testing. We have created folders and files. We will now upload them and take a backup copy on GitUp using the following methods:

First, when you open GitHub Desktop it, you will find the following:

In order for the places to be connected, we will make a comment now. Everything we have done is available to you on the machine. We must always take a backup copy. Do not forget this by doing the following:

Comment on the data

Save the commit
Whenever you make a change:

Go to GitHub Desktop

You’ll find some time

Write a simple description (e.g., updating the networking lecture)

Click the commit to the main page → then push the original

Now to make sure, open GitHub on the browser and you will find the following:

This is my friend, the simplest way to save everything you have learned and through which you can search and browse. Thus, you must now learn Obsidian manually with yourself and through experience. Also, below I will add some additions that you can do to improve the process, but if you are a beginner in this matter and do not want to do this, then do not do it. We agree.

Some helpful plugins:

🎉 Congratulations!
All your notes are now:

Organized within Obsidian

Saved on GitHub

Available from anywhere

And easily shared with any colleague or study community

⚠️ A simple warning

Personally, I don’t like using full automatic sync without review.**

Imagine if you accidentally deleted something important?
And the sync happened automatically?
Then the problem would have been logged and uploaded without you even noticing!

Yes, Git allows you to restore files…
But why take the risk?

✅ Review your changes before uploading them
✅ And if you like automation, use the Obsidian Git plugin intelligently.

🔄 Plugin (Optional): Obsidian Git for automatic sync
If you want Obsidian to automatically sync (commit + push), use this plugin:

🪛

Installation steps:
Open Obsidian

Settings → Thired-Party plugin → Community Plugins

Disable Safe Mode

Click Browse

Find Obsidian Git → Click Install → Enable

⚙️ Suggested Settings:

✅ Result:
Every time you open Obsidian or edit a file:

The edit will be automatically logged

It will be uploaded to GitHub without any manual commands

🎉 Congratulations!
You now have:

🧠 An organized note system within Obsidian

☁️ A backup on GitHub

🌍 Accessible from anywhere

🔄 And easy sharing of notes with your colleagues or the community

💬 "Control the code, and you control the world." 🔐 From wiping metadata to gaining root access — every step is documented and my goal is to deeply understand the system, not just hack!

Abdelwahab Shandy

Linkedin

GitHub

See You Soon

AS Cyber “)).