CTF OSINT
String Identification
- •40 hex chars → SHA-1 (Tor fingerprint)
- •64 hex chars → SHA-256
- •32 hex chars → MD5
Tor Relay Lookups
https://metrics.torproject.org/rs.html#simple/<FINGERPRINT>
Check family members and sort by "first seen" date for ordered flags.
Image Analysis
- •Discord avatars: Screenshot and reverse image search
- •Identify objects in images (weapons, equipment) → find character/faction
- •No EXIF? Use visual features (buildings, signs, landmarks)
- •Visual steganography: Flags hidden as tiny/low-contrast text in images (not binary stego)
- •Always view images at full resolution and check ALL corners/edges
- •Black-on-dark or white-on-light text, progressively smaller fonts
- •Profile pictures/avatars are common hiding spots
- •Twitter strips EXIF on upload - don't waste time on stego for Twitter-served images
- •Tumblr preserves more metadata in avatars than in post images
Geolocation Techniques
- •Railroad crossing signs: white X with red border = Canada
- •Use infrastructure maps:
- •Open Infrastructure Map - power lines
- •OpenRailwayMap - rail tracks
- •High-voltage transmission line maps
- •Process of elimination: narrow by country first, then region
- •Cross-reference multiple features (rail + power lines + mountains)
- •MGRS coordinates: grid-based military system (e.g., "4V FH 246 677") → convert online
Social Media OSINT
- •Check Wayback Machine for deleted posts on Bluesky, Twitter, etc.
- •Unlisted YouTube videos may be linked in deleted posts
- •Bio links lead to itch.io, personal sites with more info
- •Search
"username"with quotes on platform-specific searches - •Challenge titles are often hints (e.g., "Linked Traces" → LinkedIn / linked accounts)
Twitter/X Account Tracking
Persistent numeric User ID (key technique):
- •Every Twitter/X account has a permanent numeric ID that never changes
- •Access any account by ID:
https://x.com/i/user/<numeric_id>— works even after username changes - •Find user ID from archived pages (JSON-LD
"author":{"identifier":"..."}) - •Useful when username is deleted/changed but you have the ID from forensic artifacts
Username rename detection:
- •Twitter User IDs persist across username changes; t.co shortlinks point to OLD usernames
- •Wayback CDX API to find archived profiles:
http://web.archive.org/cdx/search/cdx?url=twitter.com/USERNAME*&output=json - •Archived pages contain JSON-LD with user ID, creation date, follower/following counts
- •t.co links in archived tweets reveal previous usernames (the redirect URL contains the username at time of posting)
- •Same tweet ID accessible under different usernames = confirmed rename
Alternative Twitter data sources:
- •Nitter instances (e.g.,
nitter.poast.org/USERNAME) show tweets without login - •Syndication API:
https://syndication.twitter.com/srv/timeline-profile/screen-name/USERNAME - •Twitter Snowflake IDs encode timestamps:
(id >> 22) + 1288834974657= Unix ms - •memory.lol and twitter.lolarchiver.com track username history
Wayback Machine for Twitter:
# Find all archived URLs for a username curl "http://web.archive.org/cdx/search/cdx?url=twitter.com/USERNAME*&output=json&fl=timestamp,original,statuscode" # Also check profile images curl "http://web.archive.org/cdx/search/cdx?url=pbs.twimg.com/profile_images/*&output=json" # Check t.co shortlinks curl "http://web.archive.org/cdx/search/cdx?url=t.co/SHORTCODE&output=json"
Tumblr Investigation
Blog existence check:
- •
curl -sI "https://USERNAME.tumblr.com"→ look forx-tumblr-userheader (confirms blog exists even if API returns 401) - •Tumblr API may return 401 (Unauthorized) but the blog is still publicly viewable via browser
Extracting post content from Tumblr HTML:
- •Tumblr embeds post data as JSON in the page HTML
- •Search for
"content":[to find post body data - •Posts contain
type: "text"withtextfield, andtype: "image"with media URLs - •Avatar URL pattern:
https://64.media.tumblr.com/HASH/HASH-XX/s512x512u_c1/FILENAME.jpg
Avatar as flag container:
- •Direct avatar endpoint:
https://api.tumblr.com/v2/blog/USERNAME.tumblr.com/avatar/512 - •Or simply:
https://USERNAME.tumblr.com/avatar/512(redirects to CDN URL) - •Available sizes: 16, 24, 30, 40, 48, 64, 96, 128, 512
- •Flags may be hidden as small text in avatar images (visual stego, not binary stego)
- •Always download highest resolution (512) and zoom in on all areas
Historical Research
- •Scout Life magazine archive: https://scoutlife.org/wayback/
- •Library of Congress: https://www.loc.gov/ (newspaper search)
- •Use advanced search with date ranges
DNS Reconnaissance
Flags often in TXT records of subdomains, not root domain:
dig -t txt subdomain.ctf.domain.com dig -t any domain.com dig axfr @ns.domain.com domain.com # Zone transfer
Google Docs/Sheets in OSINT
- •Suspects may link to Google Sheets/Docs in tweets or posts
- •Try public access URLs:
- •
/export?format=csv- Export as CSV - •
/pub- Published version - •
/gviz/tq?tqx=out:csv- Visualization API CSV export - •
/htmlview- HTML view
- •
- •Private sheets require authentication; flag may be in the sheet itself
- •Sheet IDs are stable identifiers even if sharing settings change
MGRS (Military Grid Reference System)
Pattern (On The Grid): Encoded coordinates like "4V FH 246 677".
Identification: Challenge title mentions "grid", code format matches MGRS pattern.
Conversion: Use online MGRS converter → lat/long → Google Maps for location name.
FEC Political Donation Research
Pattern (Shell Game): Track organizational donors through FEC filings.
Key resources:
- •FEC.gov - Committee receipts and expenditures
- •501(c)(4) organizations can donate to Super PACs without disclosing original funders
- •Look for largest organizational donors, then research org leadership (CEO/President)
BlueSky Advanced Search
Pattern (Ms Blue Sky): Find target's posts on BlueSky social media.
Search filters:
from:username # Posts from specific user since:2025-01-01 # Date range has:images # Posts with images
Reference: https://bsky.social/about/blog/05-31-2024-search
Resources
- •Shodan - Internet-connected devices
- •Censys - Certificate and host search
- •VirusTotal - File/URL reputation
- •WHOIS - Domain registration
- •Wayback Machine - Historical snapshots
Reverse Image Search
- •Google Images (most comprehensive)
- •TinEye (exact match)
- •Yandex (good for faces, Eastern Europe)
- •Bing Visual Search
Username OSINT
- •namechk.com - Check username across platforms
- •whatsmyname.app - Username enumeration (741+ sites)
- •Search
"username"in quotes on major platforms
Username chain tracing (account renames):
- •Start with known username → find Wayback archives
- •Look for t.co links or cross-references to other usernames in archived pages
- •Discovered new username → enumerate across ALL platforms again
- •Repeat until you find the platform with the flag
Platform false positives (return 200 but no real profile):
- •Telegram (
t.me/USER): Always returns 200 with "Contact @USER" page; check for "View" vs "Contact" in title - •TikTok: Returns 200 with "Couldn't find this account" in body
- •Smule: Returns 200 with "Not Found" in page content
- •linkin.bio: Redirects to Later.com product page for unclaimed names
- •Instagram: Returns 200 but shows login wall (may or may not exist)
Priority platforms for CTF username enumeration:
- •Twitter/X, Tumblr, GitHub, Reddit, Bluesky, Mastodon
- •Spotify, SoundCloud, Steam, Keybase
- •Pastebin, LinkedIn, YouTube, TikTok
- •bio-link services (linktr.ee, bio.link, about.me)
Metadata Extraction
exiftool image.jpg # EXIF data pdfinfo document.pdf # PDF metadata mediainfo video.mp4 # Video metadata
Google Dorking
site:example.com filetype:pdf intitle:"index of" password inurl:admin "confidential" filetype:doc
Telegram Bot Investigation
Pattern: Forensic artifacts (browser history, chat logs) may reference Telegram bots that require active interaction.
Finding bot references in forensics:
# Search browser history for Telegram URLs
import sqlite3
conn = sqlite3.connect("History") # Edge/Chrome history DB
cur = conn.cursor()
cur.execute("SELECT url FROM urls WHERE url LIKE '%t.me/%'")
# Example: https://t.me/comrade404_bot
Bot interaction workflow:
- •Visit
https://t.me/<botname>→ Opens in Telegram - •Start conversation with
/startor bot's custom command - •Bot may require verification (CTF-style challenges)
- •Answers often require knowledge from forensic analysis
Verification question patterns:
- •"Which user account did you use for X?" → Check browser history, login records
- •"Which account was modified?" → Check Security.evtx Event 4781 (rename)
- •"What file did you access?" → Check MRU, Recent files, Shellbags
Example bot flow:
Bot: "TIER 1: Which account used for online search?" → Answer from Edge history showing Bing/Google searches Bot: "TIER 2: Which account name did you change?" → Answer from Security event log (account rename events) Bot: [Grants access] "Website: http://x.x.x.x:5000, Username: mehacker, Password: flaghere"
Key insight: Bot responses may reveal:
- •Attacker's real identity/handle
- •Credentials to secondary systems
- •Direct flag components
- •Links to hidden web services
MetaCTF OSINT Challenge Patterns
Common flow:
- •Start image with hidden EXIF/metadata → extract username
- •Username enumeration (Sherlock/WhatsMyName) across platforms
- •Find profile on platform X with clues pointing to platform Y
- •Flag hidden on the final platform (Spotify bio, BlueSky post, Tumblr avatar, etc.)
Platform-specific flag locations:
- •Spotify: playlist names, artist bio
- •BlueSky: post content
- •Tumblr: avatar image, post text
- •Reddit: post/comment content
- •Smule: song recordings or bio
- •SoundCloud: track description
Key techniques:
- •Account rename tracking via Wayback + t.co links
- •Cross-platform username correlation
- •Visual inspection of all profile images at max resolution
- •Song lyric identification → artist/song as flag component
IP Geolocation & Attribution
Free geolocation services:
# IP-API (no key required) curl "http://ip-api.com/json/103.150.68.150" # ipinfo.io curl "https://ipinfo.io/103.150.68.150/json"
Bangladesh IP ranges (common in KCTF):
- •
103.150.x.x- Bangladesh ISPs - •Mobile prefixes: +880 13/14/15/16/17/18/19
Correlating location with evidence:
- •Windows telemetry (imprbeacons.dat) contains
CIPfield - •Login history APIs may show IP + OS correlation
- •VPN/proxy detection via ASN lookup