Back to Details

ctf-osint

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

CTF OSINT

CTF OSINT

String Identification

字符串识别

  • 40 hex chars → SHA-1 (Tor fingerprint)
  • 64 hex chars → SHA-256
  • 32 hex chars → MD5
  • 40个十六进制字符 → SHA-1(Tor指纹)
  • 64个十六进制字符 → SHA-256
  • 32个十六进制字符 → MD5

Tor Relay Lookups

Tor中继查询

https://metrics.torproject.org/rs.html#simple/<FINGERPRINT>
Check family members and sort by "first seen" date for ordered flags.
https://metrics.torproject.org/rs.html#simple/<FINGERPRINT>
检查家族成员并按“首次出现”日期排序以获取有序标识。

Image Analysis

图像分析

  • Discord avatars: Screenshot and reverse image search
  • Identify objects in images (weapons, equipment) → find character/faction
  • No EXIF? Use visual features (buildings, signs, landmarks)
  • Visual steganography: Flags hidden as tiny/low-contrast text in images (not binary stego)
    • Always view images at full resolution and check ALL corners/edges
    • Black-on-dark or white-on-light text, progressively smaller fonts
    • Profile pictures/avatars are common hiding spots
  • Twitter strips EXIF on upload - don't waste time on stego for Twitter-served images
  • Tumblr preserves more metadata in avatars than in post images
  • Discord头像:截图后进行反向图片搜索
  • 识别图像中的物体(武器、装备)→ 找到对应角色/阵营
  • 没有EXIF信息?使用视觉特征(建筑、标识、地标)
  • 视觉隐写术:标识以微小/低对比度文本隐藏在图像中(非二进制隐写)
    • 务必以全分辨率查看图像并检查所有角落/边缘
    • 黑底暗字或白底亮字,字体逐渐变小
    • 个人资料图片/头像是常见的隐藏位置
  • Twitter上传时会剥离EXIF信息:不要在Twitter提供的图像上浪费时间做隐写分析
  • Tumblr在头像中保留的元数据比帖子图片更多

Geolocation Techniques

地理定位技术

  • Railroad crossing signs: white X with red border = Canada
  • Use infrastructure maps:
  • Process of elimination: narrow by country first, then region
  • Cross-reference multiple features (rail + power lines + mountains)
  • MGRS coordinates: grid-based military system (e.g., "4V FH 246 677") → convert online
  • 铁路道口标识:白色X加红色边框 = 加拿大
  • 使用基础设施地图:
  • 排除法:先缩小国家范围,再缩小区域
  • 交叉参考多个特征(铁路+电力线路+山脉)
  • MGRS坐标:基于网格的军事系统(例如:"4V FH 246 677")→ 在线转换

Social Media OSINT

社交媒体开源情报

  • Check Wayback Machine for deleted posts on Bluesky, Twitter, etc.
  • Unlisted YouTube videos may be linked in deleted posts
  • Bio links lead to itch.io, personal sites with more info
  • Search 
    "username"
    with quotes on platform-specific searches
  • Challenge titles are often hints (e.g., "Linked Traces" → LinkedIn / linked accounts)
  • 查看Wayback Machine以获取Bluesky、Twitter等平台的已删除帖子
  • 未列出的YouTube视频可能链接在已删除帖子中
  • 个人简介链接指向itch.io、个人网站等包含更多信息的地方
  • 在平台特定搜索中使用引号包裹
    "username"
    进行搜索
  • 挑战标题通常是提示(例如:"Linked Traces" → LinkedIn / 关联账户)

Twitter/X Account Tracking

Twitter/X账户追踪

Persistent numeric User ID (key technique):
  • Every Twitter/X account has a permanent numeric ID that never changes
  • Access any account by ID: 
    https://x.com/i/user/<numeric_id>
    — works even after username changes
  • Find user ID from archived pages (JSON-LD 
    "author":{"identifier":"..."}
    )
  • Useful when username is deleted/changed but you have the ID from forensic artifacts
Username rename detection:
  • Twitter User IDs persist across username changes; t.co shortlinks point to OLD usernames
  • Wayback CDX API to find archived profiles: 
    http://web.archive.org/cdx/search/cdx?url=twitter.com/USERNAME*&output=json
  • Archived pages contain JSON-LD with user ID, creation date, follower/following counts
  • t.co links in archived tweets reveal previous usernames (the redirect URL contains the username at time of posting)
  • Same tweet ID accessible under different usernames = confirmed rename
Alternative Twitter data sources:
  • Nitter instances (e.g., 
    nitter.poast.org/USERNAME
    ) show tweets without login
  • Syndication API: 
    https://syndication.twitter.com/srv/timeline-profile/screen-name/USERNAME
  • Twitter Snowflake IDs encode timestamps: 
    (id >> 22) + 1288834974657
    = Unix ms
  • memory.lol and twitter.lolarchiver.com track username history
Wayback Machine for Twitter:
bash
undefined
持久化数字用户ID(核心技术):
  • 每个Twitter/X账户都有一个永久的数字ID,永不更改
  • 通过ID访问任何账户:
    https://x.com/i/user/<numeric_id>
    — 即使用户名更改也能生效
  • 从存档页面(JSON-LD 
    "author":{"identifier":"..."}
    )中查找用户ID
  • 当用户名被删除/更改但你有来自取证 artifacts的ID时非常有用
用户名重命名检测:
  • Twitter用户ID在用户名更改后仍然保留;t.co短链接指向旧用户名
  • 使用Wayback CDX API查找存档的个人资料:
    http://web.archive.org/cdx/search/cdx?url=twitter.com/USERNAME*&output=json
  • 存档页面包含带有用户ID、创建日期、关注者/关注数量的JSON-LD
  • 存档推文中的t.co链接会显示之前的用户名(重定向URL包含发布时的用户名)
  • 同一推文ID可在不同用户名下方访问 = 确认已重命名
替代Twitter数据源:
  • Nitter实例(例如:
    nitter.poast.org/USERNAME
    )无需登录即可查看推文
  • 联合API:
    https://syndication.twitter.com/srv/timeline-profile/screen-name/USERNAME
  • Twitter Snowflake ID包含时间戳:
    (id >> 22) + 1288834974657
    = Unix毫秒数
  • memory.lol和twitter.lolarchiver.com追踪用户名历史
Twitter的Wayback Machine使用:
bash
undefined

Find all archived URLs for a username

查找用户名的所有存档URL

curl "http://web.archive.org/cdx/search/cdx?url=twitter.com/USERNAME*&output=json&fl=timestamp,original,statuscode"
curl "http://web.archive.org/cdx/search/cdx?url=twitter.com/USERNAME*&output=json&fl=timestamp,original,statuscode"

Also check profile images

同时检查个人资料图片

curl "http://web.archive.org/cdx/search/cdx?url=pbs.twimg.com/profile_images/*&output=json"
curl "http://web.archive.org/cdx/search/cdx?url=pbs.twimg.com/profile_images/*&output=json"

Check t.co shortlinks

检查t.co短链接

curl "http://web.archive.org/cdx/search/cdx?url=t.co/SHORTCODE&output=json"
undefined
curl "http://web.archive.org/cdx/search/cdx?url=t.co/SHORTCODE&output=json"
undefined

Tumblr Investigation

Tumblr调查

Blog existence check:
  • curl -sI "https://USERNAME.tumblr.com"
    → look for 
    x-tumblr-user
    header (confirms blog exists even if API returns 401)
  • Tumblr API may return 401 (Unauthorized) but the blog is still publicly viewable via browser
Extracting post content from Tumblr HTML:
  • Tumblr embeds post data as JSON in the page HTML
  • Search for 
    "content":[
    to find post body data
  • Posts contain 
    type: "text"
    with 
    text
    field, and 
    type: "image"
    with media URLs
  • Avatar URL pattern: 
    https://64.media.tumblr.com/HASH/HASH-XX/s512x512u_c1/FILENAME.jpg
Avatar as flag container:
  • Direct avatar endpoint: 
    https://api.tumblr.com/v2/blog/USERNAME.tumblr.com/avatar/512
  • Or simply: 
    https://USERNAME.tumblr.com/avatar/512
    (redirects to CDN URL)
  • Available sizes: 16, 24, 30, 40, 48, 64, 96, 128, 512
  • Flags may be hidden as small text in avatar images (visual stego, not binary stego)
  • Always download highest resolution (512) and zoom in on all areas
博客存在性检查:
  • curl -sI "https://USERNAME.tumblr.com"
    → 查找
    x-tumblr-user
    头信息(即使API返回401也能确认博客存在)
  • Tumblr API可能返回401(未授权)但博客仍可通过浏览器公开查看
从Tumblr HTML中提取帖子内容:
  • Tumblr将帖子数据以JSON格式嵌入页面HTML中
  • 搜索
    "content":[
    以找到帖子正文数据
  • 帖子包含
    type: "text"
    text
    字段,以及
    type: "image"
    和媒体URL
  • 头像URL格式:
    https://64.media.tumblr.com/HASH/HASH-XX/s512x512u_c1/FILENAME.jpg
头像作为标识容器:
  • 直接头像端点:
    https://api.tumblr.com/v2/blog/USERNAME.tumblr.com/avatar/512
  • 或者直接访问:
    https://USERNAME.tumblr.com/avatar/512
    (重定向到CDN URL)
  • 可用尺寸:16、24、30、40、48、64、96、128、512
  • 标识可能以小文本形式隐藏在头像图像中(视觉隐写,非二进制隐写)
  • 务必下载最高分辨率(512)并放大查看所有区域

Historical Research

历史研究

DNS Reconnaissance

DNS侦察

Flags often in TXT records of subdomains, not root domain:
bash
dig -t txt subdomain.ctf.domain.com
dig -t any domain.com
dig axfr @ns.domain.com domain.com  # Zone transfer
标识通常位于子域名的TXT记录中,而非根域名:
bash
dig -t txt subdomain.ctf.domain.com
dig -t any domain.com
dig axfr @ns.domain.com domain.com  # 区域传输

Google Docs/Sheets in OSINT

Google Docs/Sheets在OSINT中的应用

  • Suspects may link to Google Sheets/Docs in tweets or posts
  • Try public access URLs: 
    • /export?format=csv
      - Export as CSV
    • /pub
      - Published version
    • /gviz/tq?tqx=out:csv
      - Visualization API CSV export
    • /htmlview
      - HTML view
  • Private sheets require authentication; flag may be in the sheet itself
  • Sheet IDs are stable identifiers even if sharing settings change
  • 嫌疑人可能在推文或帖子中链接到Google Sheets/Docs
  • 尝试公共访问URL: 
    • /export?format=csv
      - 导出为CSV
    • /pub
      - 发布版本
    • /gviz/tq?tqx=out:csv
      - 可视化API CSV导出
    • /htmlview
      - HTML视图
  • 私有表格需要身份验证;标识可能在表格本身中
  • 表格ID是稳定的标识符,即使共享设置更改也不会变

MGRS (Military Grid Reference System)

MGRS(军事网格参考系统)

Pattern (On The Grid): Encoded coordinates like "4V FH 246 677".
Identification: Challenge title mentions "grid", code format matches MGRS pattern.
Conversion: Use online MGRS converter → lat/long → Google Maps for location name.
模式(On The Grid): 编码坐标如"4V FH 246 677"。
识别: 挑战标题提及“grid”,代码格式匹配MGRS模式。
转换: 使用在线MGRS转换器 → 经纬度 → Google Maps获取位置名称。

FEC Political Donation Research

FEC政治捐款研究

Pattern (Shell Game): Track organizational donors through FEC filings.
Key resources:
  • FEC.gov - Committee receipts and expenditures
  • 501(c)(4) organizations can donate to Super PACs without disclosing original funders
  • Look for largest organizational donors, then research org leadership (CEO/President)
模式(Shell Game): 通过FEC文件追踪组织捐赠者。
关键资源:
  • FEC.gov - 委员会收支记录
  • 501(c)(4)组织可以向超级政治行动委员会捐款,无需披露原始资助者
  • 寻找最大的组织捐赠者,然后研究组织领导层(CEO/总裁)

BlueSky Advanced Search

BlueSky高级搜索

Pattern (Ms Blue Sky): Find target's posts on BlueSky social media.
Search filters:
from:username        # Posts from specific user
since:2025-01-01     # Date range
has:images           # Posts with images
Reference: https://bsky.social/about/blog/05-31-2024-search
模式(Ms Blue Sky): 在BlueSky社交媒体上找到目标帖子。
搜索过滤器:
from:username        # 特定用户的帖子
since:2025-01-01     # 日期范围
has:images           # 带图片的帖子
参考: https://bsky.social/about/blog/05-31-2024-search

Resources

资源

  • Shodan - Internet-connected devices
  • Censys - Certificate and host search
  • VirusTotal - File/URL reputation
  • WHOIS - Domain registration
  • Wayback Machine - Historical snapshots
  • Shodan - 联网设备搜索
  • Censys - 证书和主机搜索
  • VirusTotal - 文件/URL信誉查询
  • WHOIS - 域名注册信息
  • Wayback Machine - 历史快照

Reverse Image Search

反向图片搜索

  • Google Images (most comprehensive)
  • TinEye (exact match)
  • Yandex (good for faces, Eastern Europe)
  • Bing Visual Search
  • Google图片(最全面)
  • TinEye(精确匹配)
  • Yandex(适合人脸、东欧地区)
  • Bing视觉搜索

Username OSINT

用户名开源情报

  • namechk.com - Check username across platforms
  • whatsmyname.app - Username enumeration (741+ sites)
  • Search 
    "username"
    in quotes on major platforms
Username chain tracing (account renames):
  1. Start with known username → find Wayback archives
  2. Look for t.co links or cross-references to other usernames in archived pages
  3. Discovered new username → enumerate across ALL platforms again
  4. Repeat until you find the platform with the flag
Platform false positives (return 200 but no real profile):
  • Telegram (
    t.me/USER
    ): Always returns 200 with "Contact @USER" page; check for "View" vs "Contact" in title
  • TikTok: Returns 200 with "Couldn't find this account" in body
  • Smule: Returns 200 with "Not Found" in page content
  • linkin.bio: Redirects to Later.com product page for unclaimed names
  • Instagram: Returns 200 but shows login wall (may or may not exist)
Priority platforms for CTF username enumeration:
  • Twitter/X, Tumblr, GitHub, Reddit, Bluesky, Mastodon
  • Spotify, SoundCloud, Steam, Keybase
  • Pastebin, LinkedIn, YouTube, TikTok
  • bio-link services (linktr.ee, bio.link, about.me)
  • namechk.com - 跨平台检查用户名
  • whatsmyname.app - 用户名枚举(741+站点)
  • 在主流平台上使用引号包裹
    "username"
    进行搜索
用户名链追踪(账户重命名):
  1. 从已知用户名开始 → 查找Wayback存档
  2. 在存档页面中查找t.co链接或指向其他用户名的交叉引用
  3. 发现新用户名 → 再次在所有平台上枚举
  4. 重复直到找到包含标识的平台
平台误报(返回200但无真实个人资料):
  • Telegram (
    t.me/USER
    ):始终返回200并显示“Contact @USER”页面;检查标题中的“View” vs “Contact”
  • TikTok:返回200并在正文中显示“Couldn't find this account”
  • Smule:返回200并在页面内容中显示“Not Found”
  • linkin.bio:对于未被认领的名称,重定向到Later.com产品页面
  • Instagram:返回200但显示登录墙(可能存在或不存在)
CTF用户名枚举的优先平台:
  • Twitter/X、Tumblr、GitHub、Reddit、Bluesky、Mastodon
  • Spotify、SoundCloud、Steam、Keybase
  • Pastebin、LinkedIn、YouTube、TikTok
  • 个人简介链接服务(linktr.ee、bio.link、about.me)

Metadata Extraction

元数据提取

bash
exiftool image.jpg           # EXIF data
pdfinfo document.pdf         # PDF metadata
mediainfo video.mp4          # Video metadata
bash
exiftool image.jpg           # EXIF数据
pdfinfo document.pdf         # PDF元数据
mediainfo video.mp4          # 视频元数据

Google Dorking

Google Dorking

site:example.com filetype:pdf
intitle:"index of" password
inurl:admin
"confidential" filetype:doc
site:example.com filetype:pdf
intitle:"index of" password
inurl:admin
"confidential" filetype:doc

Telegram Bot Investigation

Telegram机器人调查

Pattern: Forensic artifacts (browser history, chat logs) may reference Telegram bots that require active interaction.
Finding bot references in forensics:
python
undefined
模式: 取证 artifacts(浏览器历史、聊天记录)可能引用需要主动交互的Telegram机器人。
在取证中查找机器人引用:
python
undefined

Search browser history for Telegram URLs

搜索浏览器历史中的Telegram URL

import sqlite3 conn = sqlite3.connect("History") # Edge/Chrome history DB cur = conn.cursor() cur.execute("SELECT url FROM urls WHERE url LIKE '%t.me/%'")
import sqlite3 conn = sqlite3.connect("History") # Edge/Chrome历史数据库 cur = conn.cursor() cur.execute("SELECT url FROM urls WHERE url LIKE '%t.me/%'")

Example: https://t.me/comrade404_bot

示例: https://t.me/comrade404_bot


**Bot interaction workflow:**
1. Visit `https://t.me/<botname>` → Opens in Telegram
2. Start conversation with `/start` or bot's custom command
3. Bot may require verification (CTF-style challenges)
4. Answers often require knowledge from forensic analysis

**Verification question patterns:**
- "Which user account did you use for X?" → Check browser history, login records
- "Which account was modified?" → Check Security.evtx Event 4781 (rename)
- "What file did you access?" → Check MRU, Recent files, Shellbags

**Example bot flow:**
Bot: "TIER 1: Which account used for online search?" → Answer from Edge history showing Bing/Google searches
Bot: "TIER 2: Which account name did you change?" → Answer from Security event log (account rename events)
Bot: [Grants access] "Website: http://x.x.x.x:5000, Username: mehacker, Password: flaghere"

**Key insight:** Bot responses may reveal:
- Attacker's real identity/handle
- Credentials to secondary systems
- Direct flag components
- Links to hidden web services

**机器交互流程:**
1. 访问`https://t.me/<botname>` → 在Telegram中打开
2. 使用`/start`或机器人的自定义命令开始对话
3. 机器人可能需要验证(CTF风格的挑战)
4. 答案通常需要取证分析的知识

**验证问题模式:**
- “你使用哪个用户账户进行X操作?” → 检查浏览器历史、登录记录
- “哪个账户被修改了?” → 检查Security.evtx事件4781(重命名)
- “你访问了哪个文件?” → 检查MRU、最近文件、Shellbags

**示例机器人流程:**
Bot: "TIER 1: Which account used for online search?" → 从Edge历史中查找显示Bing/Google搜索的账户
Bot: "TIER 2: Which account name did you change?" → 从安全事件日志中查找账户重命名事件的答案
Bot: [授予访问权限] "Website: http://x.x.x.x:5000, Username: mehacker, Password: flaghere"

**关键见解:** 机器人响应可能揭示:
- 攻击者的真实身份/用户名
- 次要系统的凭证
- 直接的标识组件
- 隐藏网络服务的链接

MetaCTF OSINT Challenge Patterns

MetaCTF OSINT挑战模式

Common flow:
  1. Start image with hidden EXIF/metadata → extract username
  2. Username enumeration (Sherlock/WhatsMyName) across platforms
  3. Find profile on platform X with clues pointing to platform Y
  4. Flag hidden on the final platform (Spotify bio, BlueSky post, Tumblr avatar, etc.)
Platform-specific flag locations:
  • Spotify: playlist names, artist bio
  • BlueSky: post content
  • Tumblr: avatar image, post text
  • Reddit: post/comment content
  • Smule: song recordings or bio
  • SoundCloud: track description
Key techniques:
  • Account rename tracking via Wayback + t.co links
  • Cross-platform username correlation
  • Visual inspection of all profile images at max resolution
  • Song lyric identification → artist/song as flag component
常见流程:
  1. 从带有隐藏EXIF/元数据的图像开始 → 提取用户名
  2. 跨平台枚举用户名(Sherlock/WhatsMyName)
  3. 在平台X上找到带有指向平台Y线索的个人资料
  4. 标识隐藏在最终平台上(Spotify个人简介、BlueSky帖子、Tumblr头像等)
平台特定的标识位置:
  • Spotify:播放列表名称、艺术家简介
  • BlueSky:帖子内容
  • Tumblr:头像图像、帖子文本
  • Reddit:帖子/评论内容
  • Smule:歌曲录制或个人简介
  • SoundCloud:曲目描述
关键技术:
  • 通过Wayback + t.co链接追踪账户重命名
  • 跨平台用户名关联
  • 以最大分辨率视觉检查所有个人资料图片
  • 识别歌曲歌词 → 艺术家/歌曲作为标识组件

IP Geolocation & Attribution

IP地理定位与归因

Free geolocation services:
bash
undefined
免费地理定位服务:
bash
undefined

IP-API (no key required)

IP-API(无需密钥)

curl "http://ip-api.com/json/103.150.68.150"
curl "http://ip-api.com/json/103.150.68.150"

ipinfo.io

ipinfo.io

curl "https://ipinfo.io/103.150.68.150/json"

**Bangladesh IP ranges (common in KCTF):**
- `103.150.x.x` - Bangladesh ISPs
- Mobile prefixes: +880 13/14/15/16/17/18/19

**Correlating location with evidence:**
- Windows telemetry (imprbeacons.dat) contains `CIP` field
- Login history APIs may show IP + OS correlation
- VPN/proxy detection via ASN lookup
curl "https://ipinfo.io/103.150.68.150/json"

**孟加拉国IP范围(KCTF中常见):**
- `103.150.x.x` - 孟加拉国ISP
- 移动前缀:+880 13/14/15/16/17/18/19

**将位置与证据关联:**
- Windows遥测(imprbeacons.dat)包含`CIP`字段
- 登录历史API可能显示IP + OS关联
- 通过ASN查找检测VPN/代理