> For the complete documentation index, see [llms.txt](https://thienguen.gitbook.io/ctf-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thienguen.gitbook.io/ctf-writeups/ctf/2025/scriptctf/osint.md).

# osint

## Challenges

<figure><img src="/files/oXAJvDIVBpniPIbiC2qS" alt=""><figcaption></figcaption></figure>

### The Insider 1

<figure><img src="/files/gqvQqVAKK28uV6ps4Jrz" alt=""><figcaption></figcaption></figure>

> Someone from our support team has leaked some confidential information. Can you find out who?

<figure><img src="/files/NNgZxlL6cqniMYirzlLf" alt=""><figcaption></figcaption></figure>

### The Insider 2

<figure><img src="/files/Th54X2PSgW8jje7HSVUR" alt=""><figcaption></figcaption></figure>

> You found out the insider, but can you find what they leaked on GitHub and put it to use? Continue where you left off...

* Scroll down from his bio

<figure><img src="/files/BqEyR8u3CyKiee98nE4v" alt=""><figcaption></figcaption></figure>

* github/search reveal something interesting 🐧
* <https://github.com/NoobMaster9999/scriptsorcerers-creds>

<figure><img src="/files/S3euwRl8naqsK42KMhxv" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/lf9WJiE2MWULthYqtgyK" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/9eR968xTAOOjmvzu02Dl" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/mv6oUTrIKsgwm3ks1Udf" alt=""><figcaption></figcaption></figure>

* <mark style="color:blue;">`scriptCTF{scriptCTF_2026_leaked?!!}`</mark>

### The Insider 3

<figure><img src="/files/SYBcgHEPZ1RLfDYuiOJX" alt=""><figcaption></figcaption></figure>

> It's a tradition at this point. Continue where you left off...

* Do another github search, click the repositories and see the repo.

{% embed url="<https://github.com/scriptCTF/scriptCTF26>" %}

<figure><img src="/files/nMvuaI2RzJrc2MplOwtH" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/GyfCp4isDgwMkYT68Z41" alt=""><figcaption></figcaption></figure>

* <mark style="color:blue;">`scriptCTF{2026_fl4g_f0und_1n_2025}`</mark>

### The Insider 4

<figure><img src="/files/JD9Jy1AVl3bOu0mHhRnn" alt=""><figcaption></figcaption></figure>

> Good luck! Note: max flag limit is 6 for a reason, you should be able to get it in less than that. If not, open a ticket. Flag is case insensitive
>
> * **Flag Format:** scriptCTF{HOTEL\_ADDRESS\_ROOMNUMBER}

* The embargo has been lifted, lets go...💨💨🏃‍♂️‍➡️

{% hint style="info" %}
This is again, an **upsolve** due to I couldn't find the room number in time, and I was going crazy over a different challenge (modulo) so when I woke up from my slumber, the ctf is already ended 😭, so lets go...
{% endhint %}

{% embed url="<https://github.com/scriptCTF/scriptCTF26/tree/main/OSINT/.insider-4>" %}

<figure><img src="/files/qcnrMXNRbavVAafyRacY" alt=""><figcaption></figcaption></figure>

* The same repo from insider 3 also have all the challenge files

<figure><img src="/files/5n5nPfbJfKSDeHE1vinM" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/djiiAiIBlrm7XKKzEUe8" alt=""><figcaption></figcaption></figure>

* First...from the image, we simply exiftool to extract the comment that the

```
❯ exiftool fireworks.jpg
ExifTool Version Number         : 12.76
File Name                       : fireworks.jpg
...
Comment                         : Great fireworks! Thanks to the Wendell family for organizing these!
Image Width                     : 4032
Image Height                    : 3024
...
```

* Straight up — paste that comment into **google**.
* Immediately spotted the location, we can narrow the location of the hotel now. It is in Rockport, Texas.

<figure><img src="/files/uZoiaCIdITuR5bzNzGA2" alt=""><figcaption></figcaption></figure>

* Another links also verified our search about the location of the challenge

{% embed url="<https://wendellfamilyfireworks.com/places-to-eat-stay-watch/>" %}

<figure><img src="/files/Ky38CXwK2ll326mpNu7l" alt=""><figcaption></figcaption></figure>

From that, you can use the image the challenge gave and start cross-comparing the hotels in the area **THAT CONNECTED WITH WENDELL FAMILY** that have water in between and buildings across the water. After about 30 minutes of searching and agonizing on Google Maps (which was a decent amount of time), I came across this hotel: Days Inn by Wyndham Rockport, Texas

* Andddddddddddd..... that right there, my friend, is the exact location of the hotel.
* So the hotel address is **901 Hwy 35 N, Rockport, TX 78382**. We just need to find the room number
* [Links](https://www.google.com/maps/place/Days+Inn+by+Wyndham+Rockport+Texas/@28.0315856,-97.0462669,3a,75y,269.11h,93.85t/data=!3m7!1e1!3m5!1scf74P7wpw6ffASoGftMhew!2e0!6shttps:%2F%2Fstreetviewpixels-pa.googleapis.com%2Fv1%2Fthumbnail%3Fcb_client%3Dmaps_sv.tactile%26w%3D900%26h%3D600%26pitch%3D-3.849553887290483%26panoid%3Dcf74P7wpw6ffASoGftMhew%26yaw%3D269.1111555504093!7i16384!8i8192!4m20!1m10!3m9!1s0x8669b5c70ac08861:0xe9952a48ec5111dc!2sDays+Inn+by+Wyndham+Rockport+Texas!5m2!4m1!1i2!8m2!3d28.0313443!4d-97.0466495!16s%2Fg%2F11h464lg04!3m8!1s0x8669b5c70ac08861:0xe9952a48ec5111dc!5m2!4m1!1i2!8m2!3d28.0313443!4d-97.0466495!16s%2Fg%2F11h464lg04?entry=ttu\&g_ep=EgoyMDI1MDgxOS4wIKXMDSoASAFQAw%3D%3D)

<figure><img src="/files/YLfGMISmYv85xsb49Xi4" alt=""><figcaption></figcaption></figure>

I think the smart move is that you can simply check the images of the hotel from Google Maps....We have to make some assumptions here: first, that the room is on the ground floor (based on evidence from the challenge images), and second, that the hotel follows a standard American numbering convention. To verify our ground floor hypothesis, I decided to methodically scroll through every available image on Google Maps - down and down and down - to finally see the complete range of room numbers.

So my first clue is that they have a 3-digit numbering system for the room numbers, as depicted in the screenshot. Given that our target room is on the ground floor our guess can be 1XX

<figure><img src="/files/ohIclKNipfMXY7lRt2bG" alt=""><figcaption></figcaption></figure>

Now let's check what we have so far for the flag construction. From the description.

* Flag format is `scriptCTF{HOTEL_ADDRESS_ROOMNUMBER}`.
* Example: `scriptCTF{1337_elite_Hwy_S_9999}` Have fun!"

Put them side by side we have

* `scriptCTF{HOTEL_ADDRESS_ROOMNUMBER}`
* `scriptCTF{`<mark style="color:blue;">**`901_Hwy_35_N`**</mark>`_???}`

<figure><img src="/files/ZbL4TDrW5fecEnMMJfUT" alt=""><figcaption></figcaption></figure>

Scrolling even more through the photos, and voilà, the range is from 1-20 (they can't have that many rooms, can they???? 💀). We have to make some educated guesses here, but let's approach this systematically rather than randomly. If the hint said we shouldn't need more than 6 (later updated to 7) guesses?

Then from the image...our range is **`106 +- 6`** The answer ultimately is **111**. But I would really want to see the intended solution of how we can ACCURATELY PINPOINT it is 111 without tanking our accuracy by guessing. I guess we can do some geography reflection? Like comparing where the picture was taken compare to the room and count it.

* <mark style="color:blue;">**`scriptCTF{901_Hwy_35_N_111}`**</mark>
