CTF OSINT
String Identification
-
40 hex chars → SHA-1 (Tor fingerprint)
-
64 hex chars → SHA-256
-
32 hex chars → MD5
Tor Relay Lookups
https://metrics.torproject.org/rs.html#simple/<FINGERPRINT>
Check family members and sort by "first seen" date for ordered flags.
Image Analysis
-
Discord avatars: Screenshot and reverse image search
-
Identify objects in images (weapons, equipment) → find character/faction
-
No EXIF? Use visual features (buildings, signs, landmarks)
-
Visual steganography: Flags hidden as tiny/low-contrast text in images (not binary stego)
-
Always view images at full resolution and check ALL corners/edges
-
Black-on-dark or white-on-light text, progressively smaller fonts
-
Profile pictures/avatars are common hiding spots
-
Twitter strips EXIF on upload - don't waste time on stego for Twitter-served images
-
Tumblr preserves more metadata in avatars than in post images
Geolocation Techniques
-
Railroad crossing signs: white X with red border = Canada
-
Use infrastructure maps:
-
Open Infrastructure Map - power lines
-
OpenRailwayMap - rail tracks
-
High-voltage transmission line maps
-
Process of elimination: narrow by country first, then region
-
Cross-reference multiple features (rail + power lines + mountains)
-
MGRS coordinates: grid-based military system (e.g., "4V FH 246 677") → convert online
Social Media OSINT
-
Check Wayback Machine for deleted posts on Bluesky, Twitter, etc.
-
Unlisted YouTube videos may be linked in deleted posts
-
Bio links lead to itch.io, personal sites with more info
-
Search "username" with quotes on platform-specific searches
-
Challenge titles are often hints (e.g., "Linked Traces" → LinkedIn / linked accounts)
Twitter/X Account Tracking
Persistent numeric User ID (key technique):
-
Every Twitter/X account has a permanent numeric ID that never changes
-
Access any account by ID: https://x.com/i/user/<numeric_id> — works even after username changes
-
Find user ID from archived pages (JSON-LD "author":{"identifier":"..."} )
-
Useful when username is deleted/changed but you have the ID from forensic artifacts
Username rename detection:
-
Twitter User IDs persist across username changes; t.co shortlinks point to OLD usernames
-
Wayback CDX API to find archived profiles: http://web.archive.org/cdx/search/cdx?url=twitter.com/USERNAME*&output=json
-
Archived pages contain JSON-LD with user ID, creation date, follower/following counts
-
t.co links in archived tweets reveal previous usernames (the redirect URL contains the username at time of posting)
-
Same tweet ID accessible under different usernames = confirmed rename
Alternative Twitter data sources:
-
Nitter instances (e.g., nitter.poast.org/USERNAME ) show tweets without login
-
Syndication API: https://syndication.twitter.com/srv/timeline-profile/screen-name/USERNAME
-
Twitter Snowflake IDs encode timestamps: (id >> 22) + 1288834974657 = Unix ms
-
memory.lol and twitter.lolarchiver.com track username history
Wayback Machine for Twitter:
Find all archived URLs for a username
Also check profile images
curl "http://web.archive.org/cdx/search/cdx?url=pbs.twimg.com/profile_images/*&output=json"
Check t.co shortlinks
curl "http://web.archive.org/cdx/search/cdx?url=t.co/SHORTCODE&output=json"
Tumblr Investigation
Blog existence check:
-
curl -sI "https://USERNAME.tumblr.com" → look for x-tumblr-user header (confirms blog exists even if API returns 401)
-
Tumblr API may return 401 (Unauthorized) but the blog is still publicly viewable via browser
Extracting post content from Tumblr HTML:
-
Tumblr embeds post data as JSON in the page HTML
-
Search for "content":[ to find post body data
-
Posts contain type: "text" with text field, and type: "image" with media URLs
-
Avatar URL pattern: https://64.media.tumblr.com/HASH/HASH-XX/s512x512u_c1/FILENAME.jpg
Avatar as flag container:
-
Direct avatar endpoint: https://api.tumblr.com/v2/blog/USERNAME.tumblr.com/avatar/512
-
Or simply: https://USERNAME.tumblr.com/avatar/512 (redirects to CDN URL)
-
Available sizes: 16, 24, 30, 40, 48, 64, 96, 128, 512
-
Flags may be hidden as small text in avatar images (visual stego, not binary stego)
-
Always download highest resolution (512) and zoom in on all areas
Historical Research
-
Scout Life magazine archive: https://scoutlife.org/wayback/
-
Library of Congress: https://www.loc.gov/ (newspaper search)
-
Use advanced search with date ranges
DNS Reconnaissance
Flags often in TXT records of subdomains, not root domain:
dig -t txt subdomain.ctf.domain.com dig -t any domain.com dig axfr @ns.domain.com domain.com # Zone transfer
Google Docs/Sheets in OSINT
-
Suspects may link to Google Sheets/Docs in tweets or posts
-
Try public access URLs:
-
/export?format=csv
-
Export as CSV
-
/pub
-
Published version
-
/gviz/tq?tqx=out:csv
-
Visualization API CSV export
-
/htmlview
-
HTML view
-
Private sheets require authentication; flag may be in the sheet itself
-
Sheet IDs are stable identifiers even if sharing settings change
MGRS (Military Grid Reference System)
Pattern (On The Grid): Encoded coordinates like "4V FH 246 677".
Identification: Challenge title mentions "grid", code format matches MGRS pattern.
Conversion: Use online MGRS converter → lat/long → Google Maps for location name.
FEC Political Donation Research
Pattern (Shell Game): Track organizational donors through FEC filings.
Key resources:
-
FEC.gov - Committee receipts and expenditures
-
501(c)(4) organizations can donate to Super PACs without disclosing original funders
-
Look for largest organizational donors, then research org leadership (CEO/President)
BlueSky Advanced Search
Pattern (Ms Blue Sky): Find target's posts on BlueSky social media.
Search filters:
from:username # Posts from specific user since:2025-01-01 # Date range has:images # Posts with images
Reference: https://bsky.social/about/blog/05-31-2024-search
Resources
-
Shodan - Internet-connected devices
-
Censys - Certificate and host search
-
VirusTotal - File/URL reputation
-
WHOIS - Domain registration
-
Wayback Machine - Historical snapshots
Reverse Image Search
-
Google Images (most comprehensive)
-
TinEye (exact match)
-
Yandex (good for faces, Eastern Europe)
-
Bing Visual Search
Username OSINT
-
namechk.com - Check username across platforms
-
whatsmyname.app - Username enumeration (741+ sites)
-
Search "username" in quotes on major platforms
Username chain tracing (account renames):
-
Start with known username → find Wayback archives
-
Look for t.co links or cross-references to other usernames in archived pages
-
Discovered new username → enumerate across ALL platforms again
-
Repeat until you find the platform with the flag
Platform false positives (return 200 but no real profile):
-
Telegram (t.me/USER ): Always returns 200 with "Contact @USER" page; check for "View" vs "Contact" in title
-
TikTok: Returns 200 with "Couldn't find this account" in body
-
Smule: Returns 200 with "Not Found" in page content
-
linkin.bio: Redirects to Later.com product page for unclaimed names
-
Instagram: Returns 200 but shows login wall (may or may not exist)
Priority platforms for CTF username enumeration:
-
Twitter/X, Tumblr, GitHub, Reddit, Bluesky, Mastodon
-
Spotify, SoundCloud, Steam, Keybase
-
Pastebin, LinkedIn, YouTube, TikTok
-
bio-link services (linktr.ee, bio.link, about.me)
Metadata Extraction
exiftool image.jpg # EXIF data pdfinfo document.pdf # PDF metadata mediainfo video.mp4 # Video metadata
Google Dorking
site:example.com filetype:pdf intitle:"index of" password inurl:admin "confidential" filetype:doc
Telegram Bot Investigation
Pattern: Forensic artifacts (browser history, chat logs) may reference Telegram bots that require active interaction.
Finding bot references in forensics:
Search browser history for Telegram URLs
import sqlite3 conn = sqlite3.connect("History") # Edge/Chrome history DB cur = conn.cursor() cur.execute("SELECT url FROM urls WHERE url LIKE '%t.me/%'")
Example: https://t.me/comrade404_bot
Bot interaction workflow:
-
Visit https://t.me/<botname> → Opens in Telegram
-
Start conversation with /start or bot's custom command
-
Bot may require verification (CTF-style challenges)
-
Answers often require knowledge from forensic analysis
Verification question patterns:
-
"Which user account did you use for X?" → Check browser history, login records
-
"Which account was modified?" → Check Security.evtx Event 4781 (rename)
-
"What file did you access?" → Check MRU, Recent files, Shellbags
Example bot flow:
Bot: "TIER 1: Which account used for online search?" → Answer from Edge history showing Bing/Google searches
Bot: "TIER 2: Which account name did you change?" → Answer from Security event log (account rename events)
Bot: [Grants access] "Website: http://x.x.x.x:5000, Username: mehacker, Password: flaghere"
Key insight: Bot responses may reveal:
-
Attacker's real identity/handle
-
Credentials to secondary systems
-
Direct flag components
-
Links to hidden web services
MetaCTF OSINT Challenge Patterns
Common flow:
-
Start image with hidden EXIF/metadata → extract username
-
Username enumeration (Sherlock/WhatsMyName) across platforms
-
Find profile on platform X with clues pointing to platform Y
-
Flag hidden on the final platform (Spotify bio, BlueSky post, Tumblr avatar, etc.)
Platform-specific flag locations:
-
Spotify: playlist names, artist bio
-
BlueSky: post content
-
Tumblr: avatar image, post text
-
Reddit: post/comment content
-
Smule: song recordings or bio
-
SoundCloud: track description
Key techniques:
-
Account rename tracking via Wayback + t.co links
-
Cross-platform username correlation
-
Visual inspection of all profile images at max resolution
-
Song lyric identification → artist/song as flag component
IP Geolocation & Attribution
Free geolocation services:
IP-API (no key required)
curl "http://ip-api.com/json/103.150.68.150"
ipinfo.io
curl "https://ipinfo.io/103.150.68.150/json"
Bangladesh IP ranges (common in KCTF):
-
103.150.x.x
-
Bangladesh ISPs
-
Mobile prefixes: +880 13/14/15/16/17/18/19
Correlating location with evidence:
-
Windows telemetry (imprbeacons.dat) contains CIP field
-
Login history APIs may show IP + OS correlation
-
VPN/proxy detection via ASN lookup