CTF OSINT

String Identification

• 40 hex chars → SHA-1 (Tor fingerprint)
• 64 hex chars → SHA-256
• 32 hex chars → MD5

Tor Relay Lookups

https://metrics.torproject.org/rs.html#simple/<FINGERPRINT>

Check family members and sort by "first seen" date for ordered flags.

Image Analysis

• Discord avatars: Screenshot and reverse image search
• Identify objects in images (weapons, equipment) → find character/faction
• No EXIF? Use visual features (buildings, signs, landmarks)
• Visual steganography: Flags hidden as tiny/low-contrast text in images (not binary stego)
  • Always view images at full resolution and check ALL corners/edges
  • Black-on-dark or white-on-light text, progressively smaller fonts
  • Profile pictures/avatars are common hiding spots
• Twitter strips EXIF on upload - don't waste time on stego for Twitter-served images
• Tumblr preserves more metadata in avatars than in post images

Geolocation Techniques

• Railroad crossing signs: white X with red border = Canada
• Use infrastructure maps:
  • Open Infrastructure Map - power lines
  • OpenRailwayMap - rail tracks
  • High-voltage transmission line maps
• Process of elimination: narrow by country first, then region
• Cross-reference multiple features (rail + power lines + mountains)
• MGRS coordinates: grid-based military system (e.g., "4V FH 246 677") → convert online

Social Media OSINT

• Check Wayback Machine for deleted posts on Bluesky, Twitter, etc.
• Unlisted YouTube videos may be linked in deleted posts
• Bio links lead to itch.io, personal sites with more info
• Search "username" with quotes on platform-specific searches
• Challenge titles are often hints (e.g., "Linked Traces" → LinkedIn / linked accounts)

Twitter/X Account Tracking

Persistent numeric User ID (key technique):

• Every Twitter/X account has a permanent numeric ID that never changes
• Access any account by ID: https://x.com/i/user/<numeric_id> — works even after username changes
• Find user ID from archived pages (JSON-LD "author":{"identifier":"..."})
• Useful when username is deleted/changed but you have the ID from forensic artifacts

Username rename detection:

• Twitter User IDs persist across username changes; t.co shortlinks point to OLD usernames
• Wayback CDX API to find archived profiles: http://web.archive.org/cdx/search/cdx?url=twitter.com/USERNAME*&output=json
• Archived pages contain JSON-LD with user ID, creation date, follower/following counts
• t.co links in archived tweets reveal previous usernames (the redirect URL contains the username at time of posting)
• Same tweet ID accessible under different usernames = confirmed rename

Alternative Twitter data sources:

• Nitter instances (e.g., nitter.poast.org/USERNAME) show tweets without login
• Syndication API: https://syndication.twitter.com/srv/timeline-profile/screen-name/USERNAME
• Twitter Snowflake IDs encode timestamps: (id >> 22) + 1288834974657 = Unix ms
• memory.lol and twitter.lolarchiver.com track username history

Wayback Machine for Twitter:

# Find all archived URLs for a username
curl "http://web.archive.org/cdx/search/cdx?url=twitter.com/USERNAME*&output=json&fl=timestamp,original,statuscode"

# Also check profile images
curl "http://web.archive.org/cdx/search/cdx?url=pbs.twimg.com/profile_images/*&output=json"

# Check t.co shortlinks
curl "http://web.archive.org/cdx/search/cdx?url=t.co/SHORTCODE&output=json"

Tumblr Investigation

Blog existence check:

• curl -sI "https://USERNAME.tumblr.com" → look for x-tumblr-user header (confirms blog exists even if API returns 401)
• Tumblr API may return 401 (Unauthorized) but the blog is still publicly viewable via browser

Extracting post content from Tumblr HTML:

• Tumblr embeds post data as JSON in the page HTML
• Search for "content":[ to find post body data
• Posts contain type: "text" with text field, and type: "image" with media URLs
• Avatar URL pattern: https://64.media.tumblr.com/HASH/HASH-XX/s512x512u_c1/FILENAME.jpg

Avatar as flag container:

• Direct avatar endpoint: https://api.tumblr.com/v2/blog/USERNAME.tumblr.com/avatar/512
• Or simply: https://USERNAME.tumblr.com/avatar/512 (redirects to CDN URL)
• Available sizes: 16, 24, 30, 40, 48, 64, 96, 128, 512
• Flags may be hidden as small text in avatar images (visual stego, not binary stego)
• Always download highest resolution (512) and zoom in on all areas

Historical Research

• Scout Life magazine archive: https://scoutlife.org/wayback/
• Library of Congress: https://www.loc.gov/ (newspaper search)
• Use advanced search with date ranges

DNS Reconnaissance

Flags often in TXT records of subdomains, not root domain:

dig -t txt subdomain.ctf.domain.com
dig -t any domain.com
dig axfr @ns.domain.com domain.com  # Zone transfer

Google Docs/Sheets in OSINT

• Suspects may link to Google Sheets/Docs in tweets or posts
• Try public access URLs:
  • /export?format=csv - Export as CSV
  • /pub - Published version
  • /gviz/tq?tqx=out:csv - Visualization API CSV export
  • /htmlview - HTML view
• Private sheets require authentication; flag may be in the sheet itself
• Sheet IDs are stable identifiers even if sharing settings change

MGRS (Military Grid Reference System)

Pattern (On The Grid): Encoded coordinates like "4V FH 246 677".

Identification: Challenge title mentions "grid", code format matches MGRS pattern.

Conversion: Use online MGRS converter → lat/long → Google Maps for location name.

FEC Political Donation Research

Pattern (Shell Game): Track organizational donors through FEC filings.

Key resources:

• FEC.gov - Committee receipts and expenditures
• 501(c)(4) organizations can donate to Super PACs without disclosing original funders
• Look for largest organizational donors, then research org leadership (CEO/President)

BlueSky Advanced Search

Pattern (Ms Blue Sky): Find target's posts on BlueSky social media.

Search filters:

from:username        # Posts from specific user
since:2025-01-01     # Date range
has:images           # Posts with images

Reference: https://bsky.social/about/blog/05-31-2024-search

Resources

• Shodan - Internet-connected devices
• Censys - Certificate and host search
• VirusTotal - File/URL reputation
• WHOIS - Domain registration
• Wayback Machine - Historical snapshots

Reverse Image Search

• Google Images (most comprehensive)
• TinEye (exact match)
• Yandex (good for faces, Eastern Europe)
• Bing Visual Search

Username OSINT

• namechk.com - Check username across platforms
• whatsmyname.app - Username enumeration (741+ sites)
• Search "username" in quotes on major platforms

Username chain tracing (account renames):

1. Start with known username → find Wayback archives
2. Look for t.co links or cross-references to other usernames in archived pages
3. Discovered new username → enumerate across ALL platforms again
4. Repeat until you find the platform with the flag

Platform false positives (return 200 but no real profile):

• Telegram (t.me/USER): Always returns 200 with "Contact @USER" page; check for "View" vs "Contact" in title
• TikTok: Returns 200 with "Couldn't find this account" in body
• Smule: Returns 200 with "Not Found" in page content
• linkin.bio: Redirects to Later.com product page for unclaimed names
• Instagram: Returns 200 but shows login wall (may or may not exist)

Priority platforms for CTF username enumeration:

• Twitter/X, Tumblr, GitHub, Reddit, Bluesky, Mastodon
• Spotify, SoundCloud, Steam, Keybase
• Pastebin, LinkedIn, YouTube, TikTok
• bio-link services (linktr.ee, bio.link, about.me)

Metadata Extraction

exiftool image.jpg           # EXIF data
pdfinfo document.pdf         # PDF metadata
mediainfo video.mp4          # Video metadata

Google Dorking

site:example.com filetype:pdf
intitle:"index of" password
inurl:admin
"confidential" filetype:doc

Telegram Bot Investigation

Pattern: Forensic artifacts (browser history, chat logs) may reference Telegram bots that require active interaction.

Finding bot references in forensics:

# Search browser history for Telegram URLs
import sqlite3
conn = sqlite3.connect("History")  # Edge/Chrome history DB
cur = conn.cursor()
cur.execute("SELECT url FROM urls WHERE url LIKE '%t.me/%'")
# Example: https://t.me/comrade404_bot

Bot interaction workflow:

1. Visit https://t.me/<botname> → Opens in Telegram
2. Start conversation with /start or bot's custom command
3. Bot may require verification (CTF-style challenges)
4. Answers often require knowledge from forensic analysis

Verification question patterns:

• "Which user account did you use for X?" → Check browser history, login records
• "Which account was modified?" → Check Security.evtx Event 4781 (rename)
• "What file did you access?" → Check MRU, Recent files, Shellbags

Example bot flow:

Bot: "TIER 1: Which account used for online search?"
→ Answer from Edge history showing Bing/Google searches

Bot: "TIER 2: Which account name did you change?"
→ Answer from Security event log (account rename events)

Bot: [Grants access] "Website: http://x.x.x.x:5000, Username: mehacker, Password: flaghere"

Key insight: Bot responses may reveal:

• Attacker's real identity/handle
• Credentials to secondary systems
• Direct flag components
• Links to hidden web services

MetaCTF OSINT Challenge Patterns

Common flow:

1. Start image with hidden EXIF/metadata → extract username
2. Username enumeration (Sherlock/WhatsMyName) across platforms
3. Find profile on platform X with clues pointing to platform Y
4. Flag hidden on the final platform (Spotify bio, BlueSky post, Tumblr avatar, etc.)

Platform-specific flag locations:

• Spotify: playlist names, artist bio
• BlueSky: post content
• Tumblr: avatar image, post text
• Reddit: post/comment content
• Smule: song recordings or bio
• SoundCloud: track description

Key techniques:

• Account rename tracking via Wayback + t.co links
• Cross-platform username correlation
• Visual inspection of all profile images at max resolution
• Song lyric identification → artist/song as flag component

IP Geolocation & Attribution

Free geolocation services:

# IP-API (no key required)
curl "http://ip-api.com/json/103.150.68.150"

# ipinfo.io
curl "https://ipinfo.io/103.150.68.150/json"

Bangladesh IP ranges (common in KCTF):

• 103.150.x.x - Bangladesh ISPs
• Mobile prefixes: +880 13/14/15/16/17/18/19

Correlating location with evidence:

• Windows telemetry (imprbeacons.dat) contains CIP field
• Login history APIs may show IP + OS correlation
• VPN/proxy detection via ASN lookup