CTF OSINT is a quick-reference skill set for gathering and validating public data clues in CTF challenges, using social media, geolocation, DNS, and other open sources.

What tools and environment are required?

It relies on a filesystem-based agent with Bash and Python 3, internet access for OSINT lookups, and support for tools like dig, exiftool, and web/search utilities.

Is it ethical to use these techniques outside CTFs?

Use these techniques only in legitimate, permitted contexts (e.g., CTFs, authorized investigations). Respect privacy, platform policies, and legal constraints when performing OSINT.

ctf-osint

Scanned

npx machina-cli add skill ljagiello/ctf-skills/ctf-osint --openclaw

Files (1)

SKILL.md

5.6 KB

CTF OSINT

Quick reference for OSINT CTF challenges. Each technique has a one-liner here; see supporting files for full details.

Additional Resources

social-media.md - Twitter/X (user IDs, Snowflake timestamps, Nitter, memory.lol, Wayback CDX), Tumblr (blog checks, post JSON, avatars), BlueSky search + API, Unicode homoglyph steganography, Discord API, username OSINT (namechk, whatsmyname), platform false positives, multi-platform chains
geolocation-and-media.md - Image analysis, reverse image search, geolocation techniques (railroad signs, infrastructure maps, MGRS), EXIF/metadata, hardware identification, newspaper archives, IP geolocation, Google Street View panorama matching
web-and-dns.md - Google dorking, Google Docs/Sheets enumeration, DNS recon (TXT, zone transfers), Wayback Machine, FEC research, Tor relay lookups, GitHub repository analysis, Telegram bot investigation

String Identification

40 hex chars -> SHA-1 (Tor fingerprint)
64 hex chars -> SHA-256
32 hex chars -> MD5

Twitter/X Account Tracking

Persistent numeric User ID: https://x.com/i/user/<id> works even after renames.
Snowflake timestamps: (id >> 22) + 1288834974657 = Unix ms.
Wayback CDX, Nitter, memory.lol for historical data. See social-media.md.

Tumblr Investigation

Blog check: curl -sI for x-tumblr-user header. Avatar at /avatar/512. See social-media.md.

Username OSINT

whatsmyname.app (741+ sites), namechk.com. Watch for platform false positives. See social-media.md.

Image Analysis & Reverse Image Search

Google Images, TinEye, Yandex (faces). Check corners for visual stego. Twitter strips EXIF. See geolocation-and-media.md.

Geolocation

Railroad signs, infrastructure maps (OpenRailwayMap, OpenInfraMap), process of elimination. See geolocation-and-media.md.
Street View panorama matching: Feature extraction + multi-metric image similarity ranking against candidate panoramas. Useful when challenge image is a crop of a Street View photo. See geolocation-and-media.md.
Road sign OCR: Extract text from directional signs (town names, route numbers) to pinpoint road corridors. Driving side + sign style + script identify the country. See geolocation-and-media.md.
Architecture + brand identification: Post-Soviet concrete = Russia/CIS; named businesses → search locations/branches → cross-reference with coastline/terrain. See geolocation-and-media.md.

MGRS Coordinates

Grid format "4V FH 246 677" -> online converter -> lat/long -> Google Maps. See geolocation-and-media.md.

Metadata Extraction

exiftool image.jpg           # EXIF data
pdfinfo document.pdf         # PDF metadata
mediainfo video.mp4          # Video metadata

Google Dorking

site:example.com filetype:pdf
intitle:"index of" password

See web-and-dns.md.

Google Docs/Sheets

Try /export?format=csv, /pub, /gviz/tq?tqx=out:csv, /htmlview. See web-and-dns.md.

DNS Reconnaissance

dig -t txt subdomain.ctf.domain.com
dig axfr @ns.domain.com domain.com  # Zone transfer

Always check TXT, CNAME, MX for CTF domains. See web-and-dns.md.

Tor Relay Lookups

https://metrics.torproject.org/rs.html#simple/<FINGERPRINT> -- check family, sort by "first seen". See web-and-dns.md.

GitHub Repository Analysis

Check issue comments, PR reviews, commit messages, wiki edits via gh api. See web-and-dns.md.

Telegram Bot Investigation

Find bot references in browser history, interact via /start, answer verification questions. See web-and-dns.md.

FEC Political Donation Research

FEC.gov for committee receipts; 501(c)(4) orgs obscure original funders. See web-and-dns.md.

IP Geolocation

curl "http://ip-api.com/json/103.150.68.150"

See geolocation-and-media.md.

Unicode Homoglyph Steganography

Pattern: Visually-identical Unicode characters from different blocks (Cyrillic, Greek, Math) encode binary data in social media posts. ASCII = 0, homoglyph = 1. Group bits into bytes for flag. See social-media.md.

BlueSky Public API

No auth needed. Endpoints: public.api.bsky.app/xrpc/app.bsky.feed.searchPosts?q=..., app.bsky.actor.searchActors, app.bsky.feed.getAuthorFeed. Check all replies to official posts. See social-media.md.

Resources

Shodan - Internet-connected devices
Censys - Certificate and host search
VirusTotal - File/URL reputation
WHOIS - Domain registration
Wayback Machine - Historical snapshots

Source

git clone https://github.com/ljagiello/ctf-skills/blob/main/ctf-osint/SKILL.mdView on GitHub

Overview

Open Source Intelligence techniques tailored for CTF challenges. It covers gathering information from public sources, social media, geolocation data, DNS records, and other clues like hashes and coordinates. This skill helps you assemble a puzzle from scattered data and corroborate findings with multiple sources, including Wayback, Tor relays, and FEC filings.

How This Skill Works

The skill uses filesystem-based tooling with Bash and Python 3 to perform internet-enabled lookups, parse results, and cross-reference clues. It applies pattern recognition (e.g., hash lengths), metadata extraction (EXIF, PDF/Video metadata), and reputable OSINT sources (Wayback, DNS records, social media footprints) to build a cohesive picture of a target or challenge.

When to Use It

When you need background on a target or keyword by aggregating public social media, news, and public records.
When tracking a username across platforms to map accounts and uncover associated handles or aliases.
When extracting geolocation clues from images, metadata, or street-view style evidence to pinpoint a location.
When performing DNS reconnaissance, Google dorking, or archive lookups to uncover exposed files, subdomains, or history.
When identifying unknown data like hashes or coordinates and cross-referencing with sources like FEC filings or archived content.

Quick Start

Step 1: Identify OSINT targets (public sources, social handles, domains, images) relevant to the challenge.
Step 2: Run targeted lookups (dig for DNS, exiftool for metadata, Google dorking, Wayback queries, and reverse image search) and collect outputs.
Step 3: Correlate findings across sources, validate with multiple clues, and document evidence with reproducible commands.

Best Practices

Define a clear scope before starting OSINT to avoid unnecessary data collection.
Cross-verify findings across at least two independent sources to reduce false positives.
Document evidence with exact commands, timestamps, and tool outputs for reproducibility.
Be mindful of platform false positives and API/TOS constraints; respect rate limits.
Correlate disparate data points (images, text, metadata, timelines) to build a cohesive narrative.

Example Use Cases

Track a Twitter/X account by numeric user ID using the URL pattern https://x.com/i/user/<id> and inspect Wayback CDX, Nitter, or memory.lol for historical data.
Use whatsmyname.app or namechk.com to locate a username across 741+ sites, while watching for platform false positives.
Perform reverse image search (Google Images, TinEye, Yandex) and inspect image corners for steganography cues; combine with geolocation clues from EXIF or related sources.
Extract EXIF metadata from an image (or PDF/video metadata) with exiftool, pdfinfo, or mediainfo to reveal timestamps, coordinates, or camera information.
Investigate DNS TXT records or attempt safe zone transfers, and cross-reference findings with FEC filings or archived pages to contextualize ownership or affiliations.

Frequently Asked Questions

Add this skill to your agents