CTF OSINT

String Identification

40 hex chars → SHA-1 (Tor fingerprint)
64 hex chars → SHA-256
32 hex chars → MD5

Tor Relay Lookups

https://metrics.torproject.org/rs.html#simple/<FINGERPRINT>

Check family members and sort by "first seen" date for ordered flags.

Image Analysis

Discord avatars: Screenshot and reverse image search
Identify objects in images (weapons, equipment) → find character/faction
No EXIF? Use visual features (buildings, signs, landmarks)
Visual steganography: Flags hidden as tiny/low-contrast text in images (not binary stego)
- Always view images at full resolution and check ALL corners/edges
- Black-on-dark or white-on-light text, progressively smaller fonts
- Profile pictures/avatars are common hiding spots
Twitter strips EXIF on upload - don't waste time on stego for Twitter-served images
Tumblr preserves more metadata in avatars than in post images

Geolocation Techniques

Railroad crossing signs: white X with red border = Canada
Use infrastructure maps:
- Open Infrastructure Map - power lines
- OpenRailwayMap - rail tracks
- High-voltage transmission line maps
Process of elimination: narrow by country first, then region
Cross-reference multiple features (rail + power lines + mountains)
MGRS coordinates: grid-based military system (e.g., "4V FH 246 677") → convert online

Social Media OSINT

Check Wayback Machine for deleted posts on Bluesky, Twitter, etc.
Unlisted YouTube videos may be linked in deleted posts
Bio links lead to itch.io, personal sites with more info
Search "username" with quotes on platform-specific searches
Challenge titles are often hints (e.g., "Linked Traces" → LinkedIn / linked accounts)

Twitter/X Account Tracking

Persistent numeric User ID (key technique):

Every Twitter/X account has a permanent numeric ID that never changes
Access any account by ID: https://x.com/i/user/<numeric_id> — works even after username changes
Find user ID from archived pages (JSON-LD "author":{"identifier":"..."})
Useful when username is deleted/changed but you have the ID from forensic artifacts

Username rename detection:

Twitter User IDs persist across username changes; t.co shortlinks point to OLD usernames
Wayback CDX API to find archived profiles: http://web.archive.org/cdx/search/cdx?url=twitter.com/USERNAME*&output=json
Archived pages contain JSON-LD with user ID, creation date, follower/following counts
t.co links in archived tweets reveal previous usernames (the redirect URL contains the username at time of posting)
Same tweet ID accessible under different usernames = confirmed rename

Alternative Twitter data sources:

Nitter instances (e.g., nitter.poast.org/USERNAME) show tweets without login
Syndication API: https://syndication.twitter.com/srv/timeline-profile/screen-name/USERNAME
Twitter Snowflake IDs encode timestamps: (id >> 22) + 1288834974657 = Unix ms
memory.lol and twitter.lolarchiver.com track username history

Wayback Machine for Twitter:

# Find all archived URLs for a username
curl "http://web.archive.org/cdx/search/cdx?url=twitter.com/USERNAME*&output=json&fl=timestamp,original,statuscode"

# Also check profile images
curl "http://web.archive.org/cdx/search/cdx?url=pbs.twimg.com/profile_images/*&output=json"

# Check t.co shortlinks
curl "http://web.archive.org/cdx/search/cdx?url=t.co/SHORTCODE&output=json"

Tumblr Investigation

Blog existence check:

curl -sI "https://USERNAME.tumblr.com" → look for x-tumblr-user header (confirms blog exists even if API returns 401)
Tumblr API may return 401 (Unauthorized) but the blog is still publicly viewable via browser

Extracting post content from Tumblr HTML:

Tumblr embeds post data as JSON in the page HTML
Search for "content":[ to find post body data
Posts contain type: "text" with text field, and type: "image" with media URLs
Avatar URL pattern: https://64.media.tumblr.com/HASH/HASH-XX/s512x512u_c1/FILENAME.jpg

Avatar as flag container:

Direct avatar endpoint: https://api.tumblr.com/v2/blog/USERNAME.tumblr.com/avatar/512
Or simply: https://USERNAME.tumblr.com/avatar/512 (redirects to CDN URL)
Available sizes: 16, 24, 30, 40, 48, 64, 96, 128, 512
Flags may be hidden as small text in avatar images (visual stego, not binary stego)
Always download highest resolution (512) and zoom in on all areas

Historical Research

Scout Life magazine archive: https://scoutlife.org/wayback/
Library of Congress: https://www.loc.gov/ (newspaper search)
Use advanced search with date ranges

DNS Reconnaissance

Flags often in TXT records of subdomains, not root domain:

dig -t txt subdomain.ctf.domain.com
dig -t any domain.com
dig axfr @ns.domain.com domain.com  # Zone transfer

Google Docs/Sheets in OSINT

Suspects may link to Google Sheets/Docs in tweets or posts
Try public access URLs:
- /export?format=csv - Export as CSV
- /pub - Published version
- /gviz/tq?tqx=out:csv - Visualization API CSV export
- /htmlview - HTML view
Private sheets require authentication; flag may be in the sheet itself
Sheet IDs are stable identifiers even if sharing settings change

MGRS (Military Grid Reference System)

Pattern (On The Grid): Encoded coordinates like "4V FH 246 677".

Identification: Challenge title mentions "grid", code format matches MGRS pattern.

Conversion: Use online MGRS converter → lat/long → Google Maps for location name.

FEC Political Donation Research

Pattern (Shell Game): Track organizational donors through FEC filings.

Key resources:

FEC.gov - Committee receipts and expenditures
501(c)(4) organizations can donate to Super PACs without disclosing original funders
Look for largest organizational donors, then research org leadership (CEO/President)

BlueSky Advanced Search

Pattern (Ms Blue Sky): Find target's posts on BlueSky social media.

Search filters:

from:username        # Posts from specific user
since:2025-01-01     # Date range
has:images           # Posts with images

Reference: https://bsky.social/about/blog/05-31-2024-search

Resources

Shodan - Internet-connected devices
Censys - Certificate and host search
VirusTotal - File/URL reputation
WHOIS - Domain registration
Wayback Machine - Historical snapshots

Reverse Image Search

Google Images (most comprehensive)
TinEye (exact match)
Yandex (good for faces, Eastern Europe)
Bing Visual Search

Username OSINT

namechk.com - Check username across platforms
whatsmyname.app - Username enumeration (741+ sites)
Search "username" in quotes on major platforms

Username chain tracing (account renames):

Start with known username → find Wayback archives
Look for t.co links or cross-references to other usernames in archived pages
Discovered new username → enumerate across ALL platforms again
Repeat until you find the platform with the flag

Platform false positives (return 200 but no real profile):

Telegram (t.me/USER): Always returns 200 with "Contact @USER" page; check for "View" vs "Contact" in title
TikTok: Returns 200 with "Couldn't find this account" in body
Smule: Returns 200 with "Not Found" in page content
linkin.bio: Redirects to Later.com product page for unclaimed names
Instagram: Returns 200 but shows login wall (may or may not exist)

Priority platforms for CTF username enumeration:

Twitter/X, Tumblr, GitHub, Reddit, Bluesky, Mastodon
Spotify, SoundCloud, Steam, Keybase
Pastebin, LinkedIn, YouTube, TikTok
bio-link services (linktr.ee, bio.link, about.me)

Metadata Extraction

exiftool image.jpg           # EXIF data
pdfinfo document.pdf         # PDF metadata
mediainfo video.mp4          # Video metadata

Google Dorking

site:example.com filetype:pdf
intitle:"index of" password
inurl:admin
"confidential" filetype:doc

Telegram Bot Investigation

Pattern: Forensic artifacts (browser history, chat logs) may reference Telegram bots that require active interaction.

Finding bot references in forensics:

# Search browser history for Telegram URLs
import sqlite3
conn = sqlite3.connect("History")  # Edge/Chrome history DB
cur = conn.cursor()
cur.execute("SELECT url FROM urls WHERE url LIKE '%t.me/%'")
# Example: https://t.me/comrade404_bot

Bot interaction workflow:

Visit https://t.me/<botname> → Opens in Telegram
Start conversation with /start or bot's custom command
Bot may require verification (CTF-style challenges)
Answers often require knowledge from forensic analysis

Verification question patterns:

"Which user account did you use for X?" → Check browser history, login records
"Which account was modified?" → Check Security.evtx Event 4781 (rename)
"What file did you access?" → Check MRU, Recent files, Shellbags

Example bot flow:

Bot: "TIER 1: Which account used for online search?"
→ Answer from Edge history showing Bing/Google searches

Bot: "TIER 2: Which account name did you change?"
→ Answer from Security event log (account rename events)

Bot: [Grants access] "Website: http://x.x.x.x:5000, Username: mehacker, Password: flaghere"

Key insight: Bot responses may reveal:

Attacker's real identity/handle
Credentials to secondary systems
Direct flag components
Links to hidden web services

MetaCTF OSINT Challenge Patterns

Common flow:

Start image with hidden EXIF/metadata → extract username
Username enumeration (Sherlock/WhatsMyName) across platforms
Find profile on platform X with clues pointing to platform Y
Flag hidden on the final platform (Spotify bio, BlueSky post, Tumblr avatar, etc.)

Platform-specific flag locations:

Spotify: playlist names, artist bio
BlueSky: post content
Tumblr: avatar image, post text
Reddit: post/comment content
Smule: song recordings or bio
SoundCloud: track description

Key techniques:

Account rename tracking via Wayback + t.co links
Cross-platform username correlation
Visual inspection of all profile images at max resolution
Song lyric identification → artist/song as flag component

IP Geolocation & Attribution

Free geolocation services:

# IP-API (no key required)
curl "http://ip-api.com/json/103.150.68.150"

# ipinfo.io
curl "https://ipinfo.io/103.150.68.150/json"

Bangladesh IP ranges (common in KCTF):

103.150.x.x - Bangladesh ISPs
Mobile prefixes: +880 13/14/15/16/17/18/19

Correlating location with evidence:

Windows telemetry (imprbeacons.dat) contains CIP field
Login history APIs may show IP + OS correlation
VPN/proxy detection via ASN lookup

ctf-osint