功能描述

Provides open source intelligence techniques for CTF challenges. Use when gathering information from public sources, social media, geolocation, DNS records,...

使用说明 (SKILL.md)

CTF OSINT

Name: Ctf Osint
Author: gandli

Quick reference for OSINT CTF challenges. Each technique has a one-liner here; see supporting files for full details.

Prerequisites

Python packages (all platforms):

pip install shodan Pillow

Linux (apt):

apt install whois dnsutils nmap libimage-exiftool-perl imagemagick curl

macOS (Homebrew):

brew install whois bind nmap exiftool imagemagick curl

Additional Resources

social-media.md - Twitter/X (user IDs, Snowflake timestamps, Nitter, memory.lol, Wayback CDX), Tumblr (blog checks, post JSON, avatars), BlueSky search + API, Unicode homoglyph steganography, Discord API, username OSINT (namechk, whatsmyname, Osint Industries), username metadata mining (postal codes), platform false positives, multi-platform chains, Strava fitness route OSINT
geolocation-and-media.md - Image analysis, reverse image search (including Baidu for China), Google Lens cropped region search, reflected/mirrored text reading, geolocation techniques (railroad signs, infrastructure maps, MGRS), Google Plus Codes, EXIF/metadata, hardware identification, newspaper archives, IP geolocation, Google Street View panorama matching, What3Words micro-landmark matching, Google Maps crowd-sourced photo verification, Overpass Turbo spatial queries, music-themed landmark geolocation with key encoding
web-and-dns.md - Google dorking (including TBS image filters), Google Docs/Sheets enumeration, DNS recon (TXT, zone transfers), Wayback Machine, FEC research, Tor relay lookups, GitHub repository analysis, Telegram bot investigation, WHOIS investigation (reverse WHOIS, historical WHOIS, IP/ASN lookup), fake service banner detection via nmap fingerprinting

When to Pivot

If you already have the files or packets locally and now need extraction or carving, switch to /ctf-forensics.
If the task becomes active exploitation of a live HTTP service, switch to /ctf-web.
If you uncover malware samples, beacons, or suspicious binaries during attribution, switch to /ctf-malware.

Quick Start Commands

# DNS recon
dig -t any target.com
dig -t txt target.com
dig axfr @ns.target.com target.com
whois target.com

# Image metadata
exiftool image.jpg
identify -verbose image.jpg | head -30

# Web archive
curl "https://web.archive.org/web/20230101*/target.com"

# Username lookup
curl -s "https://whatsmyname.app/api/lookup?username=\x3Cuser>"

# Shodan
shodan search "hostname:target.com"
shodan host \x3Cip>

String Identification

40 hex chars -> SHA-1 (Tor fingerprint)
64 hex chars -> SHA-256
32 hex chars -> MD5

Twitter/X Account Tracking

Persistent numeric User ID: https://x.com/i/user/\x3Cid> works even after renames.
Snowflake timestamps: (id >> 22) + 1288834974657 = Unix ms.
Wayback CDX, Nitter, memory.lol for historical data. See social-media.md.

Tumblr Investigation

Blog check: curl -sI for x-tumblr-user header. Avatar at /avatar/512. See social-media.md.

Username OSINT

whatsmyname.app (741+ sites), namechk.com. Watch for platform false positives. See social-media.md.

Image Analysis & Reverse Image Search

Google Lens (crop to region of interest), Google Images, TinEye, Yandex (faces). Check corners for visual stego. Twitter strips EXIF. See geolocation-and-media.md.
Cropped region search: Isolate distinctive elements (shop signs, building facades) and search via Google Lens for better results than full-scene search. See geolocation-and-media.md.
Reflected text: Flip mirrored/reflected text (water, glass) horizontally; search partial text with quoted strings. See geolocation-and-media.md.

Geolocation

Railroad signs, infrastructure maps (OpenRailwayMap, OpenInfraMap), process of elimination. See geolocation-and-media.md.
Street View panorama matching: Feature extraction + multi-metric image similarity ranking against candidate panoramas. Useful when challenge image is a crop of a Street View photo. See geolocation-and-media.md.
Road sign OCR: Extract text from directional signs (town names, route numbers) to pinpoint road corridors. Driving side + sign style + script identify the country. See geolocation-and-media.md.
Architecture + brand identification: Post-Soviet concrete = Russia/CIS; named businesses → search locations/branches → cross-reference with coastline/terrain. See geolocation-and-media.md.
Music-themed landmark geolocation: Multiple images of music-related landmarks worldwide; each yields a piano key number encoding one flag character. Identify all locations first, then decode the key sequence. See geolocation-and-media.md.

MGRS Coordinates

Grid format "4V FH 246 677" -> online converter -> lat/long -> Google Maps. See geolocation-and-media.md.

Google Plus Codes

Format XXXX+XXX (chars: 23456789CFGHJMPQRVWX). Drop a pin on Google Maps → Plus Code appears in details. Free, no API key needed. See geolocation-and-media.md.

Metadata Extraction

exiftool image.jpg           # EXIF data
pdfinfo document.pdf         # PDF metadata
mediainfo video.mp4          # Video metadata

Google Dorking

site:example.com filetype:pdf
intitle:"index of" password

Image TBS filters: Append &tbs=itp:face to Google Image URLs to filter for faces only (strips logos/banners). See web-and-dns.md.

Google Docs/Sheets

Try /export?format=csv, /pub, /gviz/tq?tqx=out:csv, /htmlview. See web-and-dns.md.

DNS Reconnaissance

dig -t txt subdomain.ctf.domain.com
dig axfr @ns.domain.com domain.com  # Zone transfer

Always check TXT, CNAME, MX for CTF domains. See web-and-dns.md.

Tor Relay Lookups

https://metrics.torproject.org/rs.html#simple/\x3CFINGERPRINT> -- check family, sort by "first seen". See web-and-dns.md.

GitHub Repository Analysis

Check issue comments, PR reviews, commit messages, wiki edits via gh api. See web-and-dns.md.

Telegram Bot Investigation

Find bot references in browser history, interact via /start, answer verification questions. See web-and-dns.md.

FEC Political Donation Research

FEC.gov for committee receipts; 501(c)(4) orgs obscure original funders. See web-and-dns.md.

IP Geolocation

curl "http://ip-api.com/json/103.150.68.150"

See geolocation-and-media.md.

Unicode Homoglyph Steganography

Pattern: Visually-identical Unicode characters from different blocks (Cyrillic, Greek, Math) encode binary data in social media posts. ASCII = 0, homoglyph = 1. Group bits into bytes for flag. See social-media.md.

BlueSky Public API

No auth needed. Endpoints: public.api.bsky.app/xrpc/app.bsky.feed.searchPosts?q=..., app.bsky.actor.searchActors, app.bsky.feed.getAuthorFeed. Check all replies to official posts. See social-media.md.

Fake Service Banner Detection

Pattern: Port appears open on a standard service port (22/SSH, 80/HTTP) but runs a fake service. nmap -sV or nc host port reveals the flag in the banner. Never trust port numbers alone -- always fingerprint the service. See web-and-dns.md.

Shodan SSH Fingerprint Lookup

Search Shodan by SSH host key fingerprint to identify servers: shodan search "fingerprint:AA:BB:CC:...". See web-and-dns.md.

Gaming Platform OSINT

Lookup usernames across gaming platforms (Steam, Xbox, PSN, MMOs) for character profiles, activity, and linked accounts. See social-media.md.

Resources

Shodan - Internet-connected devices
Censys - Certificate and host search
VirusTotal - File/URL reputation
WHOIS - Domain registration
Wayback Machine - Historical snapshots

安全使用建议

This is a documentation-only OSINT skill that appears to do what it says. Before installing or running it: (1) verify the skill source/owner if you require provenance; (2) be cautious if you plan to execute example commands — active scans (nmap, dig axfr, ssh-keyscan) can be intrusive and may be illegal or violate terms; (3) the guide includes examples that read local artifacts (e.g., browser History), which can leak private data — ensure your agent/runtime has appropriate sandboxing and you consent to that access; (4) several examples reference third-party API keys (Shodan, SecurityTrails, Google) even though the skill does not declare env vars — only provide such keys if you trust the runtime and need those features; and (5) note the minor metadata inconsistency about the skill being user-invocable in one place and not in another — consider confirming expected invocation behavior with the publisher or by testing in a safe environment.

能力评估

✓ Purpose & Capability

The name/description (CTF OSINT) matches the files and runtime instructions: DNS, web, social media, reverse image, geolocation, and related tooling. The SKILL.md's prerequisites (bash, Python 3, internet, and optional packages like shodan/exiftool) are proportional to the documented techniques. One minor inconsistency: the SKILL.md metadata sets "user-invocable: \"false\"" while the registry metadata lists the skill as user-invocable; this is an administrative mismatch but does not change the capability footprint.

ℹ Instruction Scope

Instructions stick to OSINT/CTF tasks (dig, whois, exiftool, reverse-image searches, feature-matching code examples). They also contain examples that access local forensic artifacts (e.g., opening a browser History SQLite file) and recommend active network probing (nmap, zone transfers, ssh-keyscan). Those actions are plausible for CTFs but are sensitive: local file reads expose private data and active scans can be intrusive or disallowed against third-party targets. The SKILL.md also uses examples referencing API keys (Shodan, SecurityTrails) even though no env vars are declared.

✓ Install Mechanism

This is instruction-only (no install spec, no external downloads). The file lists suggested package installs (pip/apt/brew) as prerequisites rather than performing hidden installs. That is low risk compared with skills that download and execute archives, but users should review any package commands before running them.

ℹ Credentials

The skill declares no required environment variables or credentials, which is reasonable for a documentation-only OSINT guide. However, multiple examples demonstrate use of third-party APIs (Shodan, SecurityTrails, Google Street View API) that require API keys. The skill does not declare or request those keys explicitly; if you provide keys to the agent/runtime, they would be useful but are optional. Also, instructions that read local files (browser History) require filesystem access and may expose sensitive secrets unrelated to public OSINT.

✓ Persistence & Privilege

The skill does not request permanent presence (always:false) and does not modify other skills or global agent settings. The default ability for the model to invoke the skill autonomously (disable-model-invocation:false) is unchanged and not, by itself, a red flag in this context.

版本历史

v1.0.0

Initial release: Quick reference for open source intelligence (OSINT) CTF techniques. - Covers reconnaissance across public sources: social media, geolocation, usernames, DNS records, reverse image search, Google dorking, Wayback Machine, Tor, FEC, and more. - Includes ready-to-use command examples and platform-specific installation instructions. - Offers guidance for identifying unknown data (hashes, coordinates) and pivoting between related CTF skill sets. - Extensive supplementary resource links for in-depth OSINT tasks. - Concise workflows for social media analysis, image and metadata extraction, web archives, DNS research, and technical artifact identification.

元数据

Slug ctf-osint

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题

Ctf Osint 是什么？

Provides open source intelligence techniques for CTF challenges. Use when gathering information from public sources, social media, geolocation, DNS records,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 189 次。

如何安装 Ctf Osint？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ctf-osint」即可一键安装，无需额外配置。

Ctf Osint 是免费的吗？

是的，Ctf Osint 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Ctf Osint 支持哪些平台？

Ctf Osint 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Ctf Osint？

由 gandli（@gandli）开发并维护，当前版本 v1.0.0。

Ctf Osint