OSINT 101 Write-Up

Written By Rachel Ku

This CTF was hosted by OSINT Combine on CTFd. This write‑up documents my process during the OSINT Combine OSINT 101 CTF. It reflects my reasoning, the tools I used, the mistakes I made, and what I learned as a beginner analyst. I’m including it here to show my investigative workflow and how I approach open‑source problems step‑by‑step.

Link: https://osintcombine.ctfd.io

This CTF consists of 20 questions in total, with 7 100-point questions, 8 100-point questions, 3 300-point questions, and concluding with 2 400-point questions. Untimed.

I was able to answer every question except one of the 400-point questions, which I will solve another time.

Challenge 1: Reconnaissance (100)

Prompt:
What is Isaiah’s last name? His email address is isaiah9292@gmail.com. The answer is a one‑word surname in lowercase.

Approach:
I used exact‑match search queries. Enclosing the email in quotation marks (“isaiah9292@gmail.com”) makes sure that search engines return only pages containing that precise string. This method is pretty effective for uncovering public mentions of an email across forums, social media, or other indexed sources.

Analysis:
The first search results returned two similar surnames, which led to an incorrect submission on my first attempt. Reviewing the results more carefully revealed that one surname appeared consistently across multiple sources, while the other was a false positive. This emphasized the importance of validating findings across more than one result and avoiding assumptions based on a single data point.

Answer: arredondo

Challenge 2: Parse This (100)

Prompt:
Can you identify the browser being used from this User Agent String? Answer is the name of a common browser — one word, lower case.

User‑Agent String:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82

Approach:
I broke the User‑Agent string into its parts to see which segment indicated the actual browser.

Analysis:

  • Mozilla/5.0 - A compatibility token used by most modern browsers.

  • (Windows NT 10.0; Win64; x64) - Operating system and architecture.

  • AppleWebKit/537.36 - Rendering engine version, commonly included across browsers.

  • (KHTML, like Gecko) - Indicates compatibility with the Gecko engine.

  • Chrome/114.0.0.0 - Shows the browser is Chromium‑based.

  • Safari/537.36 - Another compatibility token.

  • Edg/114.0.1823.82 - The key identifier; “Edg” - Microsoft Edge.

Answer: edge

Challenge 3: Pwned (100)

Prompt:
The email address edwardtheconfessor@gmail.com has been involved in a number of data breaches over the years, including a breach of a ticket distribution website. What is the name of the ticket distribution service that edwardtheconfessor@gmail.com’s data appeared in?

Approach:
I used Have I Been Pwned to check breach records associated with the email address.

Analysis:
Entering the email into the platform returned a list of breaches. Among them was a breach involving a ticket distribution service.

Answer: ticketfly

Challenge 4: Picnic (100)

Prompt:

Who does the Facebook ID 100086831574749 belong to? Answer is the Facebook user’s vanity name - one word, lower case.

Approach:
I used Facebook’s profile‑ID URL structure to locate the account.

Analysis:
Navigating to *http://facebook.com/profile.php?id=100086831574749* redirected to the user’s profile, revealing the name.

Answer: yogibear

Challenge 5: Catching the Bus (100)

Prompt:

Which suburb was this photograph taken in? Answer is one word, lower case.

Approach:
I uploaded the image to an EXIF metadata viewer to check for embedded GPS coordinates.

Analysis:
The metadata contained latitude and longitude values. Entering these coordinates into Google Maps at first produced an incorrect location due to embedded map misalignment. Manually inputting the coordinates yielded the correct suburb: Reservoir, Victoria, Australia.

Answer: reservoir

Challenge 6: Land-Locked (100)

Prompt:

What is the Telegram handle for the Bolivian Ministry of Education? Answer is the handle (username) without the @ symbol, lower case.

Approach:
I did targeted Google searches using combinations of the ministry name and “Telegram.”

Analysis:
The query bolivian ministry of education “telegram” returned a result listing the official Telegram handle.

Answer: minedubol

Challenge 7: Penguin (100)

Prompt:

In which European city would you find this yellow fellow?

Answer is the name of the city, one word, lower case.

Approach:
I performed a reverse image search using Google Images.

Analysis:
The search returned multiple identical images with captions identifying the location.

Answer: prague

Challenge 8: Enlightening (200)

Prompt:

A brief introduction was published on the Brown University website in txt file format — it is quite old, but it’s still there. It was an introduction to basic concepts of *something *- what was the topic? Answer is two words from the text file title, lower case.

Approach:
I used Google dorking to search Brown University’s domain for text files containing the phrase “Introduction to basic concepts of.”

Analysis:
The query: *site:brown.edu “Introduction to basic concepts of ” filetype:txt returned a text file titled Buddhism.txt, which introduced basic concepts of Tibetan Buddhism.

Answer: tibetan buddhism

Challenge 9: Corporate Grind (200)

Prompt:
There is a Norwegian company with ‘Alabaster’ in its name. There might be records of it in a corporate directory somewhere — can you find the company number?

Approach:
I used OpenCorporates to search for Norwegian companies containing “Alabaster.”

Analysis:
Filtering by jurisdiction (Norway) returned one active company. Its profile listed the company number.

Answer: 928117545

Challenge 10: Teia Escura (200)

Prompt:

Which Reddit user shared a link to OSINT Combine’s website in a comment on the r/brasil subreddit? Answer is the Reddit account username, lower case.

Approach:
I searched within the r/brasil subreddit using the term osintcombine.

Analysis:
Switching to the “Comments” tab revealed a comment containing the link, along with the username.

Answer: tailedpotemkin

Challenge 11: High Tor (200)

Prompt:

There is an Icelandic Tor relay named ‘Utopia’ - there is a Protonmail address associated with this account. What is it?

Answer is an email address (name@protonmail.com), lower case.

Approach:
I searched for the relay name along with “Icelandic Tor.”

Analysis:
Search results included a relay listing that displayed the associated email address.

Answer: maxzrbn@protonmail.com

Challenge 12: Forensic (200)

Prompt:

Back in 2013, someone called Patrick Olsen registered a dot org (.org) domain. What is the domain name? Answer is the website domain name, not including the TLD, lowercase.

Approach:
I used ViewDNS’s Reverse WHOIS lookup to search for domains registered under the name Patrick Olsen.

Analysis:
Filtering for .org domains revealed a single matching registration from 2013.

Answer: systemforensics

Challenge 13: D-Day (200)

Prompt:

In the first week of December 2020, the Sydney Morning Herald ran an article about some kind of invasion in Melbourne. Who or what was the invading force? Answer is two words, lower case.

Approach:
I searched the Sydney Morning Herald website using targeted keywords.

Analysis:
The query “Melbourne” “December 2020” “invading” site:smh.com.au returned an article describing an invasion of “hairy weed.”

Answer: hairy weed

Challenge 14: And the Award Goes To (200)

Prompt:

What are the last four letters of the YouTube channel ID for the official Academy of Motion Picture Arts and Sciences Awards channel?

The answer is the last four letters of the channel ID, lower case.

Approach:
I accessed the official Oscars YouTube channel and examined the channel ID in the URL. You can also use an online tool.

Analysis:
The final four characters of the channel ID were “jiqq.”

Answer: jiqq

Challenge 15: Flowers (200)

Prompt:

There were three vans from the same company all parked in a row on New Industrial Road, Singapore in September 2022. What colour were they?

The answer is one word, lower case.

Approach:
I used Google Maps Street View and accessed historical imagery for September 2022.

Analysis:
Navigating along New Industrial Road revealed three vans parked together, all of which were pink.

Answer: pink

Challenge 16: Bit Sheepish (300)

Prompt:

An image was posted on Instagram in May 2023. What was the name of the account that was tagged in this post?

Answer is the tagged user account name, 13 characters, lower case.

Approach:
I extracted key details from the provided image, including the posting account, date, and caption, then used these to search for the original post.

Analysis:
Locating the post allowed me to view the tagged accounts. One matched the required character length.

Answer: formafantasma

Challenge 17: Tick Tock (300)

Prompt:

What time of day (GMT) was https://www.tiktok.com/@yahoofrance/video/6964011394391903493 TikTok video posted? Answer is in 24-hour time in the format HH:MM (i.e 16:37).

Approach:
I used a third‑party TikTok metadata extraction tool to retrieve timestamp information.

Analysis:
Entering the video URL returned the posting time in GMT.

Answer: 14:40

Challenge 18: Sky High (300)

Prompt:

There are a number of domains that share the same mail servers as Lufthansa airline. One of the domains has the name of a Bulgarian city. What is the full domain?

Approach:
I retrieved Lufthansa’s MX records, then performed a reverse MX lookup to identify domains using the same mail server.

Analysis:
The MX record mxb-005f4701.gslb.pphosted.com was associated with 66 domains. Scanning the list revealed one containing the Bulgarian capital, Sofia.

Answer: lht-sofia.com

Challenge 19: Snooping Around (400)

Prompt: A Flickr user took a photo of a vehicle at the location below. What is the message on the back of the van?

71.05676803, 25.7640008

Answer is a two-word phrase, lower case.

Approach:
I began by examining the coordinates in mapping tools and attempted to locate the original Flickr image using reverse image search and platform‑specific search filters. I explored multiple angles, including nearby captures, related tags, and geographic context.

Analysis:
Despite identifying the general area and confirming the presence of vehicles in nearby captures, I was unable to locate the specific image containing the van or its rear‑facing message within the time available. I documented my attempted methods for future reference and plan to revisit this challenge as my skills develop.

Answer: unsolved

Challenge 20: Been There Dun That (400)

Prompt:

Which Mapillary user captured this image?

Answer is a username with 8 characters, lower case.

Approach:
I began by examining the visual details in the image to extract geographic and environmental clues.

Road markings, vegetation, signage, and landscape features all provided potential indicators of the region. I also considered the hint embedded in the challenge title.

Analysis:
The road markings and vegetation suggested a location consistent with New Zealand. The trees in the background resembled cabbage trees, which are native to the region. A partially legible sign appeared to reference the Otago Peninsula, which further narrowed the search to the Dunedin area.

Using Mapillary’s “Explore the map” feature, I navigated to Dunedin and focused on roads running along the water. The curve of the road and surrounding terrain matched the image. Reviewing nearby captures revealed the exact photo, along with the username of the contributor.

Answer: 3stripes

Reflection

Working through these challenges reminded me how much you learn simply by trying to solve one question at a time. I love OSINT challenges because you always learn something new when walking through a problem. ik This exercise highlighted the value of stepping back, checking assumptions, and keeping clear notes. I’m still developing my efficiency and tool selection, and this challenge helped me see exactly where to grow next!

Rachel Ku