OSINT

dec 2023

a late article on my selfish being - and my explorations of OSINT, and how challenge creators can create more concrete OSINT challenges.

As a cyber student and an ad-hoc Misc challenge creator for a local student club, I've yet to see good OSINT questions, including my own challenges, are not to par (just perhaps I've been unlucky, have not met the pros at OSINT ye) - one that has structure and actually makes sense, not pure guesswork. Funny enough too, on every trash CTF bingo, theres always the you guessed it - OSINT questions/challenges.

Image Credits:https://twitter.com/gf_256/status/1335732952462995457

What, and how can we make better OSINT questions, that actually have methodological steps like other categories? I think we need to delve into what OSINT realllyyy is.

OSINT, not OSINF

Let's start with the basics - OSINT. What does OSINT really stand for, apart from being Open-Sourced Intelligence? OSINT is context driven data, one that is actionable upon, or gives extremely concise results (eg. OSINT'ed entity is clearly shown to have XXX/ is active on YYY platform or date). However, what most people tend to get is OSINF, Open-Sourced Information. OSINF is only data - with no meaning, and with no meaning, it is absolutely useless till it finds a purpose. (You have to find the purpose, just like data science analysts )

We must be extremely clear on which is which - the internet holds so much OSINF, it is only up to you as an individual/group (if you are working as a group) to filter out the OSINF - a very 'human' aspect of it. But it is also at this point, that the confusion starts to kick in - what and how do we filter, especially since everyone's approach to the solution is so vastly different? Person 1 could be using the name to start their search, while Person 2 could be using image location to start their search.

For the Creators:

How can we integrate all these knowledge into OSINT challenges in the future? (And Improve, obviously)

Although there is no standardized workflow like the rest, OSINT challenges should and will still test on several of the same skills:

• [Basic] Google Dorking / Search Engine Search Manipulation and Optimization

• [Basic] Common Tools/OSINT Virtual Machine

• [Medium] Pivoting

• [Hard] Integration with other categories (eg. Forensics on the images provided)

What we could possibly do, as challenge creators, is to start small - give only one piece of information in the challenge description that the challengers can start small with to pivot. (Eg. a website/ a social media platform).

From there, give one, simple direct clue (one that screams - THIS IS THE CLUE TO THE NEXT INFO/FLAG!). Eg. One post with words/images/location of something/items..etc

💡 Ideas/Tips

We could also do a simple - follow/ look out for the '🔍' emoji for a sanity check on whether challengers are on the correct direction to getting their flag.

Continue the pivot. (Eg. Social Media Platform -> Blog -> Wikipedia -> Another social media platform -> Github Repo) Based on what difficulty and idea you have, you could mix them up.

💡 Ideas/Tips

With pivot websites/platforms, we can pivot using different methods - username, image of post/ image of profile picture (reused on other platforms?), email accounts...etc The wide variety of pivot websites can also draw in better possibilities to integration with other categories:

Eg.1 - Leaked Github API key in the Repo, challengers can use key to gain access to an API that provides flag

Eg.2 - Wordpress blog with admin rights vulnerability, allowing challengeres to log into blog and find draft blog post with the flag. (Remember to ensure that the challengers do not take it away!) The possibilities are truly endless with these, but it makes the challenge much sweeter. (pain) 💀

For the Challengers:

Remember these were mentioned above? If not, these are skills that are usually tested for OSINT challenges. This is your area to shine- if you havent learnt/know of the following below, please go take a look at them:

• [Basic] Google Dorking / Search Engine Search Manipulation and Optimization

• [Basic] Common Tools/OSINT Virtual Machine

I will not talk about the first one, that is self-explanatory and learnable, but if you would like me to go through it with you another time, let me know. I'll leave some links here though for your reference regarding this:

• https://www.exploit-db.com/google-hacking-database

• https://www.freecodecamp.org/news/google-dorking-for-pentesters-a-practical-tutorial/

The second one is more interesting.

Did you know you could use the weather app, sitting in your phone right now to perform OSINT on a real, missing person? You may not necessarily find them, but you can uncover key details like their last possible location/ key items related to the missing - what some people looking for MH370 did.

The man, the legend who searched for plane debris even faster than law enforcements. Image Credit:https://www.theguardian.com/world/2016/sep/26/the-man-on-a-solo-mission-to-find-the-wreckage-of-flight-mh370

Like the above, there's many ways to go about solving challenges - this means even exploring the unknown - from using strava, spotify/soundcloud, heck, even dating apps to find your flag. You may also just need to be the next Geo-guesser top player, if you chance upon any images. Think out of the box, and use common tools first to narrow down your searches for the flag.

To help, here's a list of common tools you can look into to help:

• https://github.com/jivoi/awesome-osint

• https://ohshint.gitbook.io/oh-shint-its-a-blog/

• If you guys prefer a consolidated VM, just like malware analysis VMs - here's one: https://www.tracelabs.org/initiatives/osint-vm

Well, that's it for this month. Was a lengthy, and a late update, but nevertheless very fun to explore the many possibilities of how to be able to craft/solve unique OSINT challenges.

syk