OSINT Challenges

beginner30 minWriteup

Open source intelligence gathering in CTFs

Learning Objectives

  • Use OSINT techniques
  • Find information from images
  • Track down digital footprints
  • Use advanced search operators

OSINT (Open Source Intelligence) challenges test your ability to find information using publicly available sources. From geolocating photos to tracking down usernames, OSINT is like being a digital detective!

OSINT skills are valuable beyond CTFs - journalists, investigators, and security professionals use these techniques daily. The internet never forgets, and people share more than they realize!

Image Investigation

bash
1606070;"># Step 1: Extract metadata
2exiftool image.jpg
3606070;"># Look for: GPS coordinates, camera model, date, software
4 
5606070;"># Step 2: Reverse image search
6606070;"># Upload to:
7606070;"># - images.google.com
8606070;"># - tineye.com
9606070;"># - yandex.com/images (often finds more)
10 
11606070;"># Step 3: Analyze image content
12606070;"># - Signs, license plates, landmarks
13606070;"># - Language on text
14606070;"># - Sun position (time of day)
15606070;"># - Weather conditions
16606070;"># - Architecture style
17606070;"># - Vegetation type
18 
19606070;"># Step 4: Geolocation
20606070;"># If GPS in EXIF: paste coordinates into Google Maps
21606070;"># If no GPS: search for visible landmarks
22606070;"># - google.com/maps (Street View!)
23606070;"># - OpenStreetMap
24606070;"># - earth.google.com

GeoGuessr Skills

Playing GeoGuessr improves your ability to identify locations from visual clues. Look for driving side, power line styles, road markings, language, and landscape features!

Advanced Search Techniques

1606070;"># Google Dorks (Advanced operators)
2 
3606070;"># Exact phrase
4606070;">#a5d6ff;">"John Smith"
5 
6606070;"># Site-specific search
7site:twitter.com 606070;">#a5d6ff;">"username"
8site:linkedin.com 606070;">#a5d6ff;">"John Smith" "Company Name"
9 
10606070;"># File type
11filetype:pdf 606070;">#a5d6ff;">"confidential"
12filetype:xlsx 606070;">#a5d6ff;">"password"
13 
14606070;"># URL contains
15inurl:admin
16inurl:login
17inurl:backup
18 
19606070;"># Title contains
20intitle:606070;">#a5d6ff;">"index of" passwords
21intitle:606070;">#a5d6ff;">"webcam"
22 
23606070;"># Exclude results
24606070;">#a5d6ff;">"John Smith" -site:facebook.com
25 
26606070;"># Numeric ranges
27606070;">#a5d6ff;">"salary" $50000..$100000
28 
29606070;"># Combined
30site:pastebin.com 606070;">#a5d6ff;">"api_key" OR "api key" OR "apikey"
1606070;"># Other search engines
2 
3606070;"># Bing
4606070;"># Different results from Google
5606070;"># site: and filetype: work
6 
7606070;"># DuckDuckGo
8606070;"># !g - redirect to Google
9606070;"># !yt - search YouTube
10 
11606070;"># Yandex
12606070;"># Better for Eastern European/Russian content
13606070;"># Excellent reverse image search
14 
15606070;"># Baidu (Chinese content)
16 
17606070;"># Internet Archive
18606070;"># web.archive.org
19606070;"># Historical versions of websites

Social Media OSINT

bash
1606070;"># Username searches
2606070;"># sherlock - Check username across 300+ sites
3pip install sherlock
4sherlock username
5 
6606070;"># namechk.com - Username availability
7606070;"># whatsmyname.app - Username search
8606070;"># knowem.com - Brand name search
9 
10606070;"># Twitter/X
11606070;"># advanced search: twitter.com/search-advanced
12606070;"># from:username since:2020-01-01 until:2020-12-31
13606070;"># to:username
14606070;"># @username filter:images
15 
16606070;"># Instagram
17606070;"># insta-stalker sites (be careful, many are shady)
18606070;"># hashtag searches
19606070;"># tagged locations
20 
21606070;"># LinkedIn
22606070;"># Google: site:linkedin.com "name" "company"
23606070;"># LinkedIn recruiter (if you have access)
24 
25606070;"># Facebook
26606070;"># Graph search (limited now)
27606070;"># Friend lists, likes, check-ins

Domain and IP Investigation

bash
1606070;"># WHOIS lookup
2whois domain.com
3606070;"># Shows: registrant info, dates, name servers
4606070;"># Some data may be privacy-protected
5 
6606070;"># DNS records
7dig domain.com ANY
8dig domain.com TXT
9dig domain.com MX
10nslookup domain.com
11 
12606070;"># Historical DNS
13606070;"># securitytrails.com
14606070;"># ViewDNS.info
15 
16606070;"># Certificate Transparency logs
17606070;"># crt.sh - Search certificates
18606070;"># Shows subdomains!
19curl 606070;">#a5d6ff;">"https://crt.sh/?q=%.domain.com&output=json" | jq
20 
21606070;"># Subdomain enumeration
22subfinder -d domain.com
23amass enum -d domain.com
24 
25606070;"># IP geolocation
26606070;"># ipinfo.io/IP
27606070;"># geoiplookup IP
28 
29606070;"># Shodan (Internet device search)
30shodan host IP
31shodan search 606070;">#a5d6ff;">"hostname:company.com"

Email Investigation

bash
1606070;"># Email existence check
2606070;"># hunter.io - Find emails by domain
3606070;"># verify-email.org - Check if email exists
4 
5606070;"># Email header analysis
6606070;"># Copy full headers from email
7606070;"># Use: mxtoolbox.com/EmailHeaders.aspx
8606070;"># Shows: Origin server, path, SPF/DKIM results
9 
10606070;"># Breach data
11606070;"># haveibeenpwned.com - Check if email was in breach
12606070;"># dehashed.com - Search breach data (paid)
13 
14606070;"># Email format guessing
15606070;"># firstname.lastname@company.com
16606070;"># flastname@company.com
17606070;"># firstnamel@company.com

OSINT Tools Collection

1606070;"># Image analysis
2606070;"># - Jeffrey's Exif Viewer (exif.regex.info)
3606070;"># - FotoForensics (fotoforensics.com)
4606070;"># - Google Lens
5606070;"># - Yandex reverse image
6 
7606070;"># People search
8606070;"># - pipl.com (paid)
9606070;"># - thatsthem.com
10606070;"># - whitepages.com
11606070;"># - beenverified.com
12 
13606070;"># Social media
14606070;"># - sherlock (GitHub)
15606070;"># - social-analyzer (GitHub)
16606070;"># - twint (Twitter scraping)
17 
18606070;"># Domain/Network
19606070;"># - Shodan
20606070;"># - Censys
21606070;"># - SecurityTrails
22606070;"># - BuiltWith (tech stack)
23 
24606070;"># Frameworks
25606070;"># - Maltego (relationship mapping)
26606070;"># - SpiderFoot (automated OSINT)
27606070;"># - Recon-ng (recon framework)
28606070;"># - theHarvester (email/domain)
29 
30606070;"># CTF-specific
31606070;"># - what3words.com (location encoding)
32606070;"># - geohash.org (coordinate encoding)

OSINT Workflow

General OSINT Approach

1
Identify Starting PointsWhat information do you have? Name, email, image, domain?
2
Extract All Metadataexiftool on images, WHOIS on domains, etc.
3
Search and PivotUse found info to find more: email → LinkedIn → company → more emails
4
Document EverythingTake screenshots, note timestamps, save URLs
5
Verify FindingsCross-reference with multiple sources

Knowledge Check

Quick Quiz
Question 1 of 2

Which search engine often finds more reverse image results than Google?

Key Takeaways

  • Extract metadata from images with exiftool - GPS coordinates are gold
  • Use multiple reverse image search engines (Google, Yandex, TinEye)
  • Google dorks unlock powerful site-specific searches
  • sherlock checks usernames across 300+ sites
  • Certificate transparency (crt.sh) reveals subdomains
  • Document findings - OSINT is about connecting dots