👁️

OSINT

Open-Source Intelligence challenges require you to find information about targets using only publicly available data: social media, image metadata, domain records, satellite imagery, and public databases.

What is it?

OSINT (Open-Source Intelligence) is the collection and analysis of information from publicly available sources — websites, social media, public records, satellite imagery, domain registrations, job postings, and more.

It is used by law enforcement, journalists, penetration testers, and threat intelligence analysts to build profiles of individuals, organisations, and infrastructure without any direct interaction with the target.

How it works in a CTF

In a CTF, OSINT challenges give you a starting point (a username, a photo, a company name, a tweet) and ask you to discover a specific fact — a real-world location, an email address, a date, or a connection between entities. No hacking tools are needed; only research skills and patience.

Common workflow: identify all data points in the brief → reverse image search → check social media profiles → inspect WHOIS / Shodan / Certificate Transparency logs → cross-reference findings → geolocate if needed.

Example challenge types

Geolocate a photo (street signs, landmarks)Find a person's employer from LinkedInIdentify a building from satellite viewUsername pivot across platformsWHOIS / DNS history lookupFind deleted tweet (Wayback Machine)Decode GPS EXIF from imageShodan search for exposed serviceCertificate Transparency subdomain enumIdentify ship/aircraft from AIS/ADS-BReverse email → real nameFind source code from a screenshot

Sample Challenge

Gone Offline

OSINT Medium 200 pts

A threat actor posted a photo on a now-deleted Twitter account and claimed it was taken "somewhere in the capital". The only artefact you have is a screenshot of the tweet including the image. Find the exact street address of where the photo was taken.

tweet_screenshot.png

How to solve it

Crop the embedded image from the screenshot. Reverse-image search with Google, TinEye, and Yandex — Yandex finds a match on a local tourism blog.
The blog post names the city district. Cross-reference with Google Street View to identify the visible building facade and street signage.
Check the Wayback Machine for the original tweet URL (extracted from the screenshot URL bar) — the archived version still has the original image with GPS EXIF intact.
Run exiftool original.jpg — GPS coordinates appear. Convert DMS to decimal and look up in Google Maps.
The pin drops on a specific cafe. The street address is the flag.

FLAG{47.6062_N_122.3321_W_pike_place_market}

Official Resources & Standards

OSINT Framework

Visual tree of categorised OSINT tools and data sources maintained by the community.

ReferenceTool Directory

Shodan

Search engine for internet-connected devices — banners, certificates, open ports, and more.

ToolSearch Engine

WHOIS (ICANN)

Official ICANN WHOIS service for domain registration and registrant data.

ReferenceDNS

OSINT Techniques

Community resource listing tools and techniques organised by target type.

Reference

Free Training & Practice

Bellingcat

World-renowned open-source investigative journalism outlet — their guides teach real-world OSINT methodology.

FreeGuideHighly Recommended

Trace Labs OSINT CTF

Crowd-sourced CTF that uses real missing persons cases — ethical real-world OSINT practice.

FreeCTFReal-World

OSINT Curious

Practitioner-led blog and webcast series on investigation techniques and tool usage.

FreeBlogVideos

OSINT Dojo

Beginner OSINT challenges that progress from basic recon to image geolocation.

FreeChallengesBeginner

Sofia Santos' OSINT Analysis

Detailed walkthroughs of geolocation and imagery analysis challenges.

FreeWriteups

GeoHints

Visual reference for identifying countries and regions in GeoGuessr/photo-based CTF challenges.

FreeGeolocation

IntelTechniques

Michael Bazzell's OSINT resources — free tools, workbooks, and podcast on investigation technique.

FreeReference

Essential Tools

Shodan

Find exposed devices, services, and certificates by IP, organisation, or banner.

Free Tier

theHarvester

Passive recon tool for gathering emails, subdomains, IPs, and names from public sources.

FreeOpen Source

Maltego CE

Link-analysis tool for mapping relationships between people, companies, and infrastructure.

Free Tier

ExifTool

Extract embedded GPS, camera model, and timestamp metadata from images.

FreeOpen Source

Getting Started Tips

💡 Tip: Develop a structured workflow: Identify → Collect → Analyse → Report. Don't jump to conclusions before gathering sufficient data.

💡 Tip: Reverse image search with Google, TinEye, AND Yandex — Yandex frequently finds matches the others miss, especially for buildings and landscapes.

💡 Tip: For geolocation challenges: look for text (signs, licence plates), vegetation, infrastructure (power lines, road markings), and sun angle.

💡 Tip: Check the Wayback Machine (web.archive.org) and Google Cache for deleted content — OSINT challenges often reference historical pages.