Ctf Osint
Run structured open-source intelligence workflows during CTF geolocation and forensics challenges without ad-hoc tool hopping.
Overview
ctf-osint is an agent skill most often used in Ship (also Idea, Operate) that walks you through CTF-style geolocation and media OSINT—from reverse image search to coordinate systems and metadata.
Install
npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-osintWhat is this skill?
- Covers image analysis, reverse image search, metadata extraction, and IP geolocation in one playbook
- Documents MGRS, What3Words, Google Plus Codes, and W3W-style geolocation decoding patterns
- Includes Street View panorama matching, road-sign language, and architecture/brand identification heuristics
- Supports Google Lens cropped search, reflected text reading, and crowd-sourced Maps photo verification
- Ties techniques to named CTF writeup contexts (EHAX, UTCTF, MidnightCTF) as reusable method cards
- 15+ topical sections in the OSINT playbook (image analysis through Maps verification)
Adoption & trust: 4.5k installs on skills.sh; 2.3k GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have a challenge image or clue with no obvious location and no consistent order for which OSINT checks to run first.
Who is it for?
Solo CTF players and indie security hobbyists who want an agent to follow competition-grade geolocation and media-analysis checklists.
Skip if: Teams that need enterprise threat-intel platforms, lawful-intercept workflows, or passive production monitoring without a specific investigative artifact.
When should I use this skill?
A CTF or investigation hands you photos, partial coordinates, encoded locations, or hardware clues and you need ordered OSINT steps.
What do I get? / Deliverables
After the skill runs, you have a repeatable chain of geolocation, metadata, and verification steps aligned to the artifact type so you can submit coordinates or flags with evidence.
- Documented hypothesis chain for location or identity
- List of searches and decodings attempted with sources
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship → Security because OSINT here supports verification, attribution, and challenge solving under a security-minded workflow. Security subphase fits investigative techniques used to validate clues, extract metadata, and geolocate assets—core CTF OSINT outcomes.
Where it fits
Research an unknown storefront photo to decide if a scam landing page claims a real address before you validate the product idea.
Walk through metadata and reverse-image checks on user-uploaded media before shipping a community feature.
Correlate an IP or hosting clue with geolocation hints during a tabletop abuse or incident exercise.
How it compares
Use instead of generic web-search prompts when you need CTF-specific geolocation encodings and visual matching steps, not a general SEO research skill.
Common Questions / FAQ
Who is ctf-osint for?
It is for solo builders and small teams doing CTF geolocation challenges, security forensics practice, or agent-assisted OSINT when verifying visual and metadata clues.
When should I use ctf-osint?
Use it in Ship when hardening or investigating suspicious media; in Idea when researching unknown locations or brands from photos; and in Operate when tracing IPs or validating crowd-sourced map evidence during an incident drill.
Is ctf-osint safe to install?
Review the Security Audits panel on this Prism page for install counts and audit results before trusting it in sensitive environments; OSINT workflows may encourage external searches you should scope to lawful, authorized targets.
SKILL.md
READMESKILL.md - Ctf Osint
# Geolocation and Media Analysis ## Table of Contents - [Image Analysis](#image-analysis) - [Reverse Image Search](#reverse-image-search) - [Geolocation Techniques](#geolocation-techniques) - [MGRS (Military Grid Reference System)](#mgrs-military-grid-reference-system) - [Google Plus Codes / Open Location Codes (MidnightCTF 2026)](#google-plus-codes--open-location-codes-midnightctf-2026) - [Metadata Extraction](#metadata-extraction) - [Hardware/Product Identification](#hardwareproduct-identification) - [Newspaper Archives and Historical Research](#newspaper-archives-and-historical-research) - [Google Street View Panorama Matching (EHAX 2026)](#google-street-view-panorama-matching-ehax-2026) - [Road Sign Language and Driving Side Analysis (EHAX 2026)](#road-sign-language-and-driving-side-analysis-ehax-2026) - [Post-Soviet Architecture and Brand Identification (EHAX 2026)](#post-soviet-architecture-and-brand-identification-ehax-2026) - [IP Geolocation and Attribution](#ip-geolocation-and-attribution) - [Google Lens Cropped Region Search (UTCTF 2026)](#google-lens-cropped-region-search-utctf-2026) - [Reflected and Mirrored Text Reading (UTCTF 2026)](#reflected-and-mirrored-text-reading-utctf-2026) - [What3Words (W3W) Geolocation (UTCTF 2026)](#what3words-w3w-geolocation-utctf-2026) - [Monumental Letters / Letreiro Identification (UTCTF 2026)](#monumental-letters--letreiro-identification-utctf-2026) - [Google Maps Crowd-Sourced Photo Verification (MidnightCTF 2026)](#google-maps-crowd-sourced-photo-verification-midnightctf-2026) - [Overpass Turbo Spatial Queries (LAB'OSINT 2025)](#overpass-turbo-spatial-queries-labosint-2025) - [Music-Themed Landmark Geolocation with Key Encoding (BSidesSF 2026)](#music-themed-landmark-geolocation-with-key-encoding-bsidessf-2026) --- ## Image Analysis - Discord avatars: Screenshot and reverse image search - Identify objects in images (weapons, equipment) -> find character/faction - No EXIF? Use visual features (buildings, signs, landmarks) - **Visual steganography**: Flags hidden as tiny/low-contrast text in images (not binary stego) - Always view images at full resolution and check ALL corners/edges - Black-on-dark or white-on-light text, progressively smaller fonts - Profile pictures/avatars are common hiding spots - **Twitter strips EXIF** on upload - don't waste time on stego for Twitter-served images - **Tumblr preserves more metadata** in avatars than in post images ## Reverse Image Search - Google Lens (crop to specific region, best for identifying landmarks/shops/signs) - Google Images (most comprehensive) - TinEye (exact match) - Yandex (good for faces, Eastern Europe) - Baidu Images / `graph.baidu.com` (best for Chinese locations — use when visual cues suggest China: blue license plates, simplified Chinese text, menlou gate architecture) - Bing Visual Search ## Geolocation Techniques - Railroad crossing signs: white X with red border = Canada - Use infrastructure maps: - [Open Infrastructure Map](https://openinframap.org) - power lines - [OpenRailwayMap](https://www.openrailwaymap.org/) - rail tracks - High-voltage transmission line maps - Process of elimination: narrow by country first, then region - Cross-reference multiple features (rail + power lines + mountains) - MGRS coordinates: grid-based military system (e.g., "4V FH 246 677") -> convert online ## MGRS (Military Grid Reference System) **Pattern (On The Grid):** Encoded coordinates like "4V FH 246 677". **Identification:** Challenge title mentions "grid", code format matches MGRS pattern. **Conversion:** Use online MGRS converter -> lat/long -> Google Maps for location name. ## Google Plus Codes / Open Location Codes (MidnightCTF 2026) **Pattern (Chine Zhao):** Flag format requires a Google Plus Code (e.g., `H9G2+47X`) instead of coordinates or W3W. Plus Codes are Google's open-source alternative to street addresses. **Format:** `XXXX+XX` (short/local) or `8FVC9G8F+6W` (full/global). Characters from t