CTF OSINT
Quick reference for OSINT CTF challenges. Each technique has a one-liner here; see supporting files for full details.
Prerequisites
Python packages (all platforms):
�CODEBLOCK0
Linux (apt):
�CODEBLOCK1
macOS (Homebrew):
�CODEBLOCK2
Additional Resources
- - social-media.md - Twitter/X (user IDs, Snowflake timestamps, Nitter, memory.lol, Wayback CDX), Tumblr (blog checks, post JSON, avatars), BlueSky search + API, Unicode homoglyph steganography, Discord API, username OSINT (namechk, whatsmyname, Osint Industries), username metadata mining (postal codes), platform false positives, multi-platform chains, Strava fitness route OSINT
- geolocation-and-media.md - Image analysis, reverse image search (including Baidu for China), Google Lens cropped region search, reflected/mirrored text reading, geolocation techniques (railroad signs, infrastructure maps, MGRS), Google Plus Codes, EXIF/metadata, hardware identification, newspaper archives, IP geolocation, Google Street View panorama matching, What3Words micro-landmark matching, Google Maps crowd-sourced photo verification, Overpass Turbo spatial queries, music-themed landmark geolocation with key encoding
- web-and-dns.md - Google dorking (including TBS image filters), Google Docs/Sheets enumeration, DNS recon (TXT, zone transfers), Wayback Machine, FEC research, Tor relay lookups, GitHub repository analysis, Telegram bot investigation, WHOIS investigation (reverse WHOIS, historical WHOIS, IP/ASN lookup), fake service banner detection via nmap fingerprinting
When to Pivot
- - If you already have the files or packets locally and now need extraction or carving, switch to
/ctf-forensics. - If the task becomes active exploitation of a live HTTP service, switch to
/ctf-web. - If you uncover malware samples, beacons, or suspicious binaries during attribution, switch to
/ctf-malware.
Quick Start Commands
CODEBLOCK3
String Identification
- - 40 hex chars -> SHA-1 (Tor fingerprint)
- 64 hex chars -> SHA-256
- 32 hex chars -> MD5
Twitter/X Account Tracking
- - Persistent numeric User ID:
https://x.com/i/user/<id> works even after renames. - Snowflake timestamps:
(id >> 22) + 1288834974657 = Unix ms. - Wayback CDX, Nitter, memory.lol for historical data. See social-media.md.
Tumblr Investigation
- - Blog check:
curl -sI for x-tumblr-user header. Avatar at /avatar/512. See social-media.md.
Username OSINT
Image Analysis & Reverse Image Search
- - Google Lens (crop to region of interest), Google Images, TinEye, Yandex (faces). Check corners for visual stego. Twitter strips EXIF. See geolocation-and-media.md.
- Cropped region search: Isolate distinctive elements (shop signs, building facades) and search via Google Lens for better results than full-scene search. See geolocation-and-media.md.
- Reflected text: Flip mirrored/reflected text (water, glass) horizontally; search partial text with quoted strings. See geolocation-and-media.md.
Geolocation
- - Railroad signs, infrastructure maps (OpenRailwayMap, OpenInfraMap), process of elimination. See geolocation-and-media.md.
- Street View panorama matching: Feature extraction + multi-metric image similarity ranking against candidate panoramas. Useful when challenge image is a crop of a Street View photo. See geolocation-and-media.md.
- Road sign OCR: Extract text from directional signs (town names, route numbers) to pinpoint road corridors. Driving side + sign style + script identify the country. See geolocation-and-media.md.
- Architecture + brand identification: Post-Soviet concrete = Russia/CIS; named businesses → search locations/branches → cross-reference with coastline/terrain. See geolocation-and-media.md.
- Music-themed landmark geolocation: Multiple images of music-related landmarks worldwide; each yields a piano key number encoding one flag character. Identify all locations first, then decode the key sequence. See geolocation-and-media.md.
MGRS Coordinates
Google Plus Codes
- - Format
XXXX+XXX (chars: 23456789CFGHJMPQRVWX). Drop a pin on Google Maps → Plus Code appears in details. Free, no API key needed. See geolocation-and-media.md.
Metadata Extraction
CODEBLOCK4
Google Dorking
CODEBLOCK5
Image TBS filters: Append &tbs=itp:face to Google Image URLs to filter for faces only (strips logos/banners). See web-and-dns.md.
Google Docs/Sheets
- - Try
/export?format=csv, /pub, /gviz/tq?tqx=out:csv, /htmlview. See web-and-dns.md.
DNS Reconnaissance
CODEBLOCK6
Always check TXT, CNAME, MX for CTF domains. See web-and-dns.md.
Tor Relay Lookups
- -
https://metrics.torproject.org/rs.html#simple/<FINGERPRINT> -- check family, sort by "first seen". See web-and-dns.md.
GitHub Repository Analysis
- - Check issue comments, PR reviews, commit messages, wiki edits via
gh api. See web-and-dns.md.
Telegram Bot Investigation
- - Find bot references in browser history, interact via
/start, answer verification questions. See web-and-dns.md.
FEC Political Donation Research
- - FEC.gov for committee receipts; 501(c)(4) orgs obscure original funders. See web-and-dns.md.
IP Geolocation
CODEBLOCK7
See geolocation-and-media.md.
Unicode Homoglyph Steganography
Pattern: Visually-identical Unicode characters from different blocks (Cyrillic, Greek, Math) encode binary data in social media posts. ASCII = 0, homoglyph = 1. Group bits into bytes for flag. See social-media.md.
BlueSky Public API
No auth needed. Endpoints: public.api.bsky.app/xrpc/app.bsky.feed.searchPosts?q=..., app.bsky.actor.searchActors, app.bsky.feed.getAuthorFeed. Check all replies to official posts. See social-media.md.
Fake Service Banner Detection
Pattern: Port appears open on a standard service port (22/SSH, 80/HTTP) but runs a fake service. nmap -sV or nc host port reveals the flag in the banner. Never trust port numbers alone -- always fingerprint the service. See web-and-dns.md.
Shodan SSH Fingerprint Lookup
Search Shodan by SSH host key fingerprint to identify servers: shodan search "fingerprint:AA:BB:CC:...". See web-and-dns.md.
Gaming Platform OSINT
Lookup usernames across gaming platforms (Steam, Xbox, PSN, MMOs) for character profiles, activity, and linked accounts. See social-media.md.
Resources
- - Shodan - Internet-connected devices
- Censys - Certificate and host search
- VirusTotal - File/URL reputation
- WHOIS - Domain registration
- Wayback Machine - Historical snapshots
CTF OSINT
OSINT CTF挑战的快速参考。每种技术在此提供一行说明;详见支持文件。
前置条件
Python包(所有平台):
bash
pip install shodan Pillow
Linux(apt):
bash
apt install whois dnsutils nmap libimage-exiftool-perl imagemagick curl
macOS(Homebrew):
bash
brew install whois bind nmap exiftool imagemagick curl
附加资源
- - social-media.md - Twitter/X(用户ID、雪花时间戳、Nitter、memory.lol、Wayback CDX)、Tumblr(博客检查、帖子JSON、头像)、BlueSky搜索+API、Unicode同形异义隐写术、Discord API、用户名OSINT(namechk、whatsmyname、Osint Industries)、用户名元数据挖掘(邮政编码)、平台误报、多平台链、Strava健身路线OSINT
- geolocation-and-media.md - 图像分析、反向图像搜索(包括面向中国的百度)、Google Lens裁剪区域搜索、镜像/反射文字读取、地理定位技术(铁路标志、基础设施地图、MGRS)、Google Plus Codes、EXIF/元数据、硬件识别、报纸档案、IP地理定位、Google街景全景匹配、What3Words微地标匹配、Google地图众包照片验证、Overpass Turbo空间查询、音乐主题地标地理定位与密钥编码
- web-and-dns.md - Google搜索技巧(包括TBS图像过滤器)、Google文档/表格枚举、DNS侦察(TXT、区域传输)、Wayback Machine、FEC研究、Tor中继查询、GitHub仓库分析、Telegram机器人调查、WHOIS调查(反向WHOIS、历史WHOIS、IP/ASN查询)、通过nmap指纹识别检测虚假服务横幅
何时切换
- - 如果已本地获取文件或数据包,需要提取或数据雕刻,切换到 /ctf-forensics。
- 如果任务变为对在线HTTP服务的主动利用,切换到 /ctf-web。
- 如果在归因过程中发现恶意软件样本、信标或可疑二进制文件,切换到 /ctf-malware。
快速启动命令
bash
DNS侦察
dig -t any target.com
dig -t txt target.com
dig axfr @ns.target.com target.com
whois target.com
图像元数据
exiftool image.jpg
identify -verbose image.jpg | head -30
网页存档
curl https://web.archive.org/web/20230101*/target.com
用户名查询
curl -s https://whatsmyname.app/api/lookup?username=
Shodan
shodan search hostname:target.com
shodan host
字符串识别
- - 40个十六进制字符 -> SHA-1(Tor指纹)
- 64个十六进制字符 -> SHA-256
- 32个十六进制字符 -> MD5
Twitter/X账户追踪
- - 持久数字用户ID:https://x.com/i/user/ 在改名后仍有效。
- 雪花时间戳:(id >> 22) + 1288834974657 = Unix毫秒。
- Wayback CDX、Nitter、memory.lol用于历史数据。参见 social-media.md。
Tumblr调查
用户名OSINT
图像分析与反向图像搜索
地理定位
MGRS坐标
Google Plus Codes
元数据提取
bash
exiftool image.jpg # EXIF数据
pdfinfo document.pdf # PDF元数据
mediainfo video.mp4 # 视频元数据
Google搜索技巧
text
site:example.com filetype:pdf
intitle:index of password
图像TBS过滤器: 在Google图片URL后追加 &tbs=itp:face 仅过滤人脸(去除标志/横幅)。参见 web-and-dns.md。
Google文档/表格
- - 尝试 /export?format=csv、/pub、/gviz/tq?tqx=out:csv、/htmlview。参见 web-and-dns.md。
DNS侦察
bash
dig -t txt subdomain.ctf.domain.com
dig axfr @ns.domain.com domain.com # 区域传输
始终检查CTF域名的TXT、CNAME、MX记录。参见 web-and-dns.md。
Tor中继查询
- - https://metrics.torproject.org/rs.html#simple/ -- 检查家族,按首次出现排序。参见 web-and-dns.md。
GitHub仓库分析
Telegram机器人调查
FEC政治捐款研究
IP地理定位
bash
curl http://ip-api.com/json/103.150.68.150
参见 geolocation-and-media.md。
Unicode同形异义隐写术
模式: 来自不同区块(西里尔字母、希腊字母、数学符号)的视觉相同Unicode字符在社交媒体帖子中编码二进制数据。ASCII = 0,同形异义 = 1。将位分组为字节得到旗帜。参见 social-media.md。
BlueSky公共API
无需认证。端点:public.api.bsky.app/xrpc/app.bsky.feed.searchPosts?q=...、app.bsky.actor.searchActors、app.bsky.feed.getAuthorFeed。检查官方帖子的所有回复。
