CTF OSINT
Quick reference for OSINT CTF challenges. Each technique has a one-liner here; see supporting files for full details.
Additional Resources
- social-media.md - Twitter/X (user IDs, Snowflake timestamps, Nitter, memory.lol, Wayback CDX), Tumblr (blog checks, post JSON, avatars), BlueSky search + API, Unicode homoglyph steganography, Discord API, username OSINT (namechk, whatsmyname, Osint Industries), username metadata mining (postal codes), platform false positives, multi-platform chains, Strava fitness route OSINT
- geolocation-and-media.md - Image analysis, reverse image search (including Baidu for China), Google Lens cropped region search, reflected/mirrored text reading, geolocation techniques (railroad signs, infrastructure maps, MGRS), Google Plus Codes, EXIF/metadata, hardware identification, newspaper archives, IP geolocation, Google Street View panorama matching, What3Words micro-landmark matching, Google Maps crowd-sourced photo verification, Overpass Turbo spatial queries
- web-and-dns.md - Google dorking (including TBS image filters), Google Docs/Sheets enumeration, DNS recon (TXT, zone transfers), Wayback Machine, FEC research, Tor relay lookups, GitHub repository analysis, Telegram bot investigation, WHOIS investigation (reverse WHOIS, historical WHOIS, IP/ASN lookup)
String Identification
- 40 hex chars -> SHA-1 (Tor fingerprint)
- 64 hex chars -> SHA-256
- 32 hex chars -> MD5
Twitter/X Account Tracking
- Persistent numeric User ID:
https://x.com/i/user/<id>works even after renames. - Snowflake timestamps:
(id >> 22) + 1288834974657= Unix ms. - Wayback CDX, Nitter, memory.lol for historical data. See social-media.md.
Tumblr Investigation
- Blog check:
curl -sIforx-tumblr-userheader. Avatar at/avatar/512. See social-media.md.
Username OSINT
- whatsmyname.app (741+ sites), namechk.com. Watch for platform false positives. See social-media.md.
Image Analysis & Reverse Image Search
- Google Lens (crop to region of interest), Google Images, TinEye, Yandex (faces). Check corners for visual stego. Twitter strips EXIF. See geolocation-and-media.md.
- Cropped region search: Isolate distinctive elements (shop signs, building facades) and search via Google Lens for better results than full-scene search. See geolocation-and-media.md.
- Reflected text: Flip mirrored/reflected text (water, glass) horizontally; search partial text with quoted strings. See geolocation-and-media.md.
Geolocation
- Railroad signs, infrastructure maps (OpenRailwayMap, OpenInfraMap), process of elimination. See geolocation-and-media.md.
- Street View panorama matching: Feature extraction + multi-metric image similarity ranking against candidate panoramas. Useful when challenge image is a crop of a Street View photo. See geolocation-and-media.md.
- Road sign OCR: Extract text from directional signs (town names, route numbers) to pinpoint road corridors. Driving side + sign style + script identify the country. See geolocation-and-media.md.
- Architecture + brand identification: Post-Soviet concrete = Russia/CIS; named businesses → search locations/branches → cross-reference with coastline/terrain. See geolocation-and-media.md.
MGRS Coordinates
- Grid format "4V FH 246 677" -> online converter -> lat/long -> Google Maps. See geolocation-and-media.md.
Google Plus Codes
- Format
XXXX+XXX(chars:23456789CFGHJMPQRVWX). Drop a pin on Google Maps → Plus Code appears in details. Free, no API key needed. See geolocation-and-media.md.
Metadata Extraction
exiftool image.jpg # EXIF data
pdfinfo document.pdf # PDF metadata
mediainfo video.mp4 # Video metadata
Google Dorking
site:example.com filetype:pdf
intitle:"index of" password
Image TBS filters: Append &tbs=itp:face to Google Image URLs to filter for faces only (strips logos/banners). See web-and-dns.md.
Google Docs/Sheets
- Try
/export?format=csv,/pub,/gviz/tq?tqx=out:csv,/htmlview. See web-and-dns.md.
DNS Reconnaissance
dig -t txt subdomain.ctf.domain.com
dig axfr @ns.domain.com domain.com # Zone transfer
Always check TXT, CNAME, MX for CTF domains. See web-and-dns.md.
Tor Relay Lookups
https://metrics.torproject.org/rs.html#simple/<FINGERPRINT>-- check family, sort by "first seen". See web-and-dns.md.
GitHub Repository Analysis
- Check issue comments, PR reviews, commit messages, wiki edits via
gh api. See web-and-dns.md.
Telegram Bot Investigation
- Find bot references in browser history, interact via
/start, answer verification questions. See web-and-dns.md.
FEC Political Donation Research
- FEC.gov for committee receipts; 501(c)(4) orgs obscure original funders. See web-and-dns.md.
IP Geolocation
curl "http://ip-api.com/json/103.150.68.150"
Unicode Homoglyph Steganography
Pattern: Visually-identical Unicode characters from different blocks (Cyrillic, Greek, Math) encode binary data in social media posts. ASCII = 0, homoglyph = 1. Group bits into bytes for flag. See social-media.md.
BlueSky Public API
No auth needed. Endpoints: public.api.bsky.app/xrpc/app.bsky.feed.searchPosts?q=..., app.bsky.actor.searchActors, app.bsky.feed.getAuthorFeed. Check all replies to official posts. See social-media.md.
Resources
- Shodan - Internet-connected devices
- Censys - Certificate and host search
- VirusTotal - File/URL reputation
- WHOIS - Domain registration
- Wayback Machine - Historical snapshots