Redline Cyber Security is excited to announce that our pentesters secured first place at the 2024 GrrCON OSINT Capture the Flag (CTF) competition. With a record 68 teams competing, this year’s event focused on open-source intelligence gathering, and our team was honored to walk away with another victory, making this our third time winning the CTF over the years.
What is the OSINT CTF?
The GrrCON OSINT CTF, organized by CG Silvers Consulting (<- awesome company), stands out from more technical challenges like the Car Hacking Village CTF, which we competed and took 2nd place in last year (See Blog Post: GrrCon 2023 CTF). The OSINT CTF emphasizes investigative and reconnaissance skills rather than technical hacking. Participants are tasked with using publicly available information to track down specific details about “volun-targets” using free online resources, all while adhering to strict ethical guidelines.
The goal is to leverage open-source tools to gather details about the targets, ranging from public social media profiles to obscure online aliases. Each flag represents a challenge that requires participants to methodically sift through data, cross-reference sources, and uncover the information needed to solve the challenge. The competition favors those with sharp research skills, creativity, and of course the "try harder" mentality.
Game Structure and Rules
The competition began with teams receiving a set of challenges, each task requiring them to uncover specific pieces of information about the volun-targets. Successfully discovering this information is what constituted capturing a 'flag.' The challenges varied in difficulty, with some involving straightforward searches, while others demanded more advanced investigative techniques.
The challenges ranged from uncovering details such as a target's spouse's full birthdate, their military rank, identifying their first-ever registered personal email address, and even discovering their high school mascot. These are often details that are used as security question's in online account recovery processes.
Participants were required to manage numerous browser tabs, searching through public people-search databases, social media platforms, and other sources of OSINT. It was critical to stay organized and manage the noise from the data that flooded in, making note-taking and source verification essential to success.
As with all GrrCON CTFs, ethical guidelines were strictly enforced. Participants could only use free, open-source tools and resources. Any use of paid services or private data was prohibited, ensuring that the competition remained a true test of OSINT skills.
Redline’s Winning Strategy
Redlines pentesting team approached the competition with a clear focus and preparation, knowing that strong organization and a toolbar full of bookmarks to OSINT resources would be key.
Bryan, founder of Redline Cyber Security, shared his thoughts on the competition:
"This was a competition we had been looking forward to for a while. It gave us the perfect opportunity to brush up on non-technical reconnaissance skills that are crucial to any cybersecurity engagement. These OSINT techniques translate to any target and are common in the work we do."
The toughest flag involved discovering the legal middle name of one of the volun-targets. We managed to uncover the first name, middle initial, and last name from various sources but couldn’t submit the correct answer. Eventually, the team realized that the middle name was simply the letter itself—the middle initial was the entire middle name.
"The answer had been right in front of us the whole time!" Bryan said, reflecting on the challenge.
Effective note-taking and team communication were also essential to Redline’s victory. With dozens of browser tabs open and various people-search websites to comb through, it was important to filter out unnecessary noise and focus on key information. The team used Obsidian for note-taking and Signal to share links and updates, helping them efficiently manage the vast amount of data they collected.
Key OSINT Tools and Resources Used in the 2024 GrrCON OSINT CTF
Throughout the competition, a vast majority of the information we uncovered came from social media, particularly through the accounts of the targets' close friends and family. Interestingly, more details about the targets were revealed through their parents' social media accounts than through their own (THANKS Mom & Dad!).
While some resources proved helpful, others were not used, but it’s always good to have a broad set of tools available. Additionally, GitHub's Awesome OSINT list is a fantastic resource that maintains a large collection of OSINT tools for future reference.
Below are the key tools and websites we used, or considered, during the CTF:
- True People Search: https://www.truepeoplesearch.com/
- Been Verified: https://www.beenverified.com/
- That’s Them: https://thatsthem.com/
- PeekYou: https://www.peekyou.com/
- TinEye: https://tineye.com/
- Jimpl: https://jimpl.com/
- USA Official: https://usa-official.com/
- Black Book Online: https://www.blackbookonline.info/
- What's My Name: https://whatsmyname.app/
- Judy Records: https://www.judyrecords.com/
- National Sex Offender Public Website (NSOPW): https://www.nsopw.gov/
- VoteRef: https://voteref.com/
- Open Secrets Donor Lookup: https://www.opensecrets.org/donor-lookup
- Open Corporates: https://opencorporates.com/
- Family Search: https://www.familysearch.org/
- Spokeo: https://spokeo.com/
- Classmates: https://www.classmates.com/
- Review Public Records: https://www.reviewpublicrecords.com/
- Unmask: https://unmask.com/
- Google Fu / Advanced Search Techniques
Reflections from the Winner’s Panel
After the competition, Redline's pentesters joined a panel discussion with the other top teams and two special guest volun-targets. Bryan and the team shared some insights into their experience and offered advice for future competitors:
- Why did you decide to join the OSINT CTF?
"We were excited for this event because it focuses on essential non-technical skills that are crucial for any cybersecurity engagement," Bryan explained. "We use these skills every day in our work, so it was a great opportunity to practice them in a fun and competitive environment." - What was the hardest flag to find?
Bryan shared the story of the middle name challenge: "We found the first name, middle initial, and last name from various sources but missed that the middle initial was the full middle name. It was a real ‘aha’ moment when we figured that out!" - What advice would you have for future contestants?
Bryan emphasized that the OSINT CTF is a great opportunity even for those without a technical background: "One of our team members competed in this type of event for the first time and did really well. Don’t limit yourself—form a team, dive in, and get your hands dirty."
A Big Shout Out to GrrCON and CG Silvers
We want to thank GrrCON and CG Silvers for organizing another outstanding event. It’s an honor to participate in the OSINT CTF year after year, and this year’s prizes—a black badge, Flipper Zero, and CG Silvers swag pack—were the perfect reward for our team’s efforts.
This years win at the GrrCON OSINT CTF reflects the value our pentesters put into teamwork, effective research, and attention to detail. As always, we’re excited to apply the same level of dedication to our work with clients.
For more information about how Redline Cyber Security can help secure your organization, contact us today!
