Logo

osint/scriptCTF 2025: beginner osint chals

author

Welcome to my very friendly beginner OSINT guide. since #osint in the discord server was going crazy the entire ctf i decided to dedicate this writeup for those stuck on all of the insider challenges, and I will take you through all of my thought processes.

Insider 1

insider1

My first instinct was to check for the support team's social media, websites, github pages, and more. So, I went to the discord and went through each admin's discord profile seeing if there were any URLs that stood out or anything. Clicking on noobmaster's profile, i saw this:

insider1!

Flag:

scriptCTF{1ts_0bv10u5ly_j0hn_d03_aka_n00bm4573r}

Insider 2

insider2

"Continue where you left off"

This probably means that there is something to do with Noobmaster's discord profile or something, so I visited it once again, and then I saw a lot of whitespace on his profile. Scrolling down, it seems that they put a link to a user on ctfd.

Clicking it, this is what we get:

insider2

Clicking on the little redirect button, where you can put your own websites or urls on your profile, it takes you to a login page.

insider2

It looks like this is the login page where we have to "put it to use", so let's find out what they leaked on GitHub. Noobmaster has his Github profile linked to his discord profile, so I clicked on that first and saw this:

insider2

Clicking on the repo, it seems there is a login credential in the "creds".txt:

scriptCTF2026:scriptCTF2026

creds are stored in a user:pass fashion, so putting that in the login page at http://2026.scriptsorcerers.xyz/ gives us the flag

scriptCTF{scriptCTF_2026_leaked?!!}

fun fact: i solved this challenge while lying in bed about to go to sleep. bed reveal:

insider2

Insider 3

insider3

Going back to this image:

insider2

I clicked on the other repo "scriptCTF26" and pressed on the folder named "leaked"

insider3

wow that was easy. it legit just gave me the flag.

scriptCTF{2026_fl4g_f0und_1n_2025}

Insider 4

insider4

In the same folder as "leaked", there is a folder named ".insider-4"

This was the description:

Description: "As a photographer, I took these photos on my vacation. Flag format is scriptCTF{HOTEL_ADDRESS_ROOMNUMBER}. Example: scriptCTF{1337_elite_Hwy_S_9999} Have fun!"

So we have to find the hotel address and the room number.

Clicking into attachments, there were three folders:

.secret
fireworks.jpg
room.jpg

Clicking on .secret, the text read:

as a photographer, i add comments/descriptions to my images

This probably meant that there was some metadata embedded in the images. I downloaded both images and extracted the metadata using exiftool, and for one of the images I got this:

Comment: Great fireworks! Thanks to the Wendell family for organizing these!

After that, I searched up "Wendell family Fireworks" and discovered it was some sort of company or family doing annual fireworks for fourth of july. Then, I went to their history page https://wendellfamilyfireworks.com/our-history/ and saw they launch fireworks at Rockport, Aransas County. Luckily for me, I also found a place where they provide a detailed map of where they launch their fireworks at the link https://wendellfamilyfireworks.com/places-to-eat-stay-watch/

insider4

Then, using google maps, I narrowed the area down to this, using the H-E-B market detailed in the fireworks map:

insider4

First of all, let's analyze the room.jpg image file. Here is the image:

insider4

Now, it looks like the hotel is facing some water, which means it will be located right next to the coastline somewhere. This narrows it down a lot. Going on google maps, I can type in "hotel" to find all of the hotels near this area.

insider4

There's only about 8-9 hotels located at the edge of the water, and to check if it's the right hotel you can go into google streetview and look for some key details in room.jpg to match up with the hotel.

After about 5 minutes of searching, I came across this hotel: Days Inn by Wyndham Rockport Texas

https://maps.app.goo.gl/sSV1KWFeVUWauTWZ9

insider4
insider4

Which perfectly matched up with the room.jpg. Now, all that was left was to find the room number. Obviously, there wasn't going to be any information or anything that would lead to guessing the exact room number as the challenge also states that "Note: max flag limit is 6 for a reason, you should be able to get it in less than that. If not, open a ticket." I thought this meant there would be a reasonable range for us to guess in, and maybe we won't find the exact room number and instead use the other room numbers to make a valid guess on what the room number could be.

After some thinking, I realized that i could use photos from the google reviews to see if I could catch some guests posting their room number to their review, just to see how the numbering works and all.

If you didn't know, google maps has a feature where you can shuffle through all photos uploaded to reviews.

insider4

After scrolling through all the images, this one especially caught my eye, since there were TWO room numbers in the image:

insider4
insider4

The left says 116 and the right says 115. Great, so we have two room numbers. But where are they in respect to the room we need to find out? Well, first we need to find out which way the photo was taken. Using Google Streetview and the red building behind it, you can see that the photo is taken from the left side of the building pointing the front of the hotel:

insider4
insider4

In order to help you visualize this, I have drawn a very detailed map that outlines all of the rooms and information in an exquisitely precise manner.

insider4

So, the two room numbers seem to be going downwards as you approach down and to the left. Using this logic we can deduce that our room number will be lower than 115, but not exactly lower than 115 since there is still quite a bit of space in between. To be safe, I started guessing the room number from numbers below 114.

Im assuming I have to guess these numbers:

114
113
112
111
110
109

Flag Format: i know a lot of people were struggling with the flag format so I will help:

Flag format is scriptCTF{HOTEL_ADDRESS_ROOMNUMBER}. Example: scriptCTF{1337_elite_Hwy_S_9999}

Looking at the example, I don't think they meant to separate hotel and address as it makes it feel like you have to put the hotel name as well. But if you look at the example then this clears it up entirely. You have to put the hotel address exactly, and then the room after that.

Getting the Days Inn hotel address off google, their address is 901 Hwy 35 N, Rockport, TX 78382, almost matching up with the example.

Which makes the flag format scriptCTF{901_Hwy_35_N_ROOMNUMBER}

Now, I just guess all the room numbers until i'm right, which ended up being room 111.

Flag:

scriptCTF{901_Hwy_35_N_111}

If you enjoyed the writeup then lmk on my discord profile: acni

and admins i want a binary ninja personal license pretty please.