Lespion (CyberDefenders)

Scenario

You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker's identity.

Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider. Investigate the incident, find the insider, and uncover the attack actions.

https://cyberdefenders.org/blueteam-ctf-challenges/lespion/

1- File -> Github.txt: What API key did the insider add to his GitHub repositories?

aJFRaLHjMXvYZgLPwiJkroYLGRkNBW

Screenshot 2025-07-09 072829.png

Screenshot 2025-07-09 072856.png

we begin analysing the given GitHub repositories who is described to be a backend programmer one the repositories named Project-Build---Custom-Login-Page clicking on the repository will get two other .js files open the first one login page.js and found the api key in the first line

2- File -> Github.txt: What plaintext password did the insider add to his GitHub repositories?

PicassoBaguette99

Screenshot 2025-07-09 072923.png

Screenshot 2025-07-09 072951.png

in same js file you will find the password in line 58 and its base64 encoded when decode using CyberChef will get the answer

Scenario

1- File -> Github.txt: What API key did the insider add to his GitHub repositories?

aJFRaLHjMXvYZgLPwiJkroYLGRkNBW

2- File -> Github.txt: What plaintext password did the insider add to his GitHub repositories?

PicassoBaguette99

3- File -> Github.txt: What cryptocurrency mining tool did the insider use?