top of page

A Walk on the Wild Side: OSINT Capture-the-Flag Walkthrough Part I

  • Jemma Ward
  • Apr 30
  • 8 min read

Have you had a chance to try out our April Capture-the-Flag, A Walk on the Wild Side?


For a lot of these challenges, there are multiple techniques for finding the right answer (and no doubt at least a few people experimented with using generative AI to reach the correct answer!). For our walkthrough, we’re going to focus on free OSINT tools and tradecraft that don’t require subscriptions. You’ll find most of the tools mentioned here in our OSINT Bookmark Stack.

 

Getting Started


Text on dark background reads: "Getting Started 100" with instructions to identify a domain name in lowercase format: domain.com.

Our first question is about a domain registration – we need to find out which ‘wild’ website was registered based on a name. We can find (some) information about domain registrations using WHOIS look-ups – basically, we’re just asking ‘who is responsible for this domain?’. However, the question specifies that the website was registered ‘quite a while ago’, so we likely need to access historic WHOIS data. Two free reverse WHOIS lookup tools that provide historical registration information are:

Conducting a Reverse WHOIS lookup in either of these tools will reveal a domain with the keyword ‘wild’ in it:


Reverse Whois results listing "rewildingeurope.com" with registration date 2010-09-15 and registrar ENOM, INC., from a search for 'Twan Teunissen'.
ViewDNS Reverse WHOIS

Reverse Whois search result showing "TWAN TEUNISSEN" linked to "rewildingeurope.com" under registrar eNom, Inc.
Whoxy Reverse WHOIS

Proper Poppy


Text on a dark background reads: "Proper Poppy 100 1/3 attempts. In which country was this picture of a flower taken? Answer is one word, lowercase i.e. estonia."

For this challenge, we need to find out about the provenance of an image (the image is a still taken from a TikTok video).

Blue poppy with frayed petals in foreground, lush green hills in background, overcast sky. Tranquil, nature scene.

This is another fairly straightforward exercise – if we conduct a reverse image search of the image using Google Lens, we can identify two exact matches in the Google search results:

Google search results page for a blue flower image, Meconopsis gakyidiana. Results from Bhutan Biodiversity Portal show flower details.

Both of these are from the Bhutan Biodiversity Portal domain, and if we click through for further information, we can confirm that the photograph is from a region of Bhutan (near a place called Merak). Reverse image searching is another key tool in the OSINT investigator’s toolbox – it can help us assess the provenance of an image, identify possible locations, and find out how widely an image has been shared or posted online.


Proper Poppy II

If you solved the previous question, you would have unlocked a second Proper Poppy challenge – this one asks you to identify a phrase from the title of a research paper.

Proper Poppy II challenge text on dark background, mentions co-authoring a paper with a poetic two-word phrase for Himalayan poppies.

You may need to return to the Bhutan Biodiversity Portal reverse image result to check the names needed for this question. They are T. Yoshida, R. Yangzom, and D.G. Long. Since it seems that these are co-authors of a paper, it would be useful to use a search engine that focuses on academic writing – enter Google Scholar.


Google Scholar can speed up our searches for content related to academic research and publications and refine our search results more than Google’s regular search engine. It has a few of its own search operators, as well as a handy Advanced Search function that allows us to target our searches even further. Let’s use that and add the last names of our co-authors.

Advanced search window with fields for keywords, authors, publications, and date range. Search button displayed in a white and gray interface.

This retrieves two results, and we can see that one of those has the solution for our challenge – ‘dancing butterflies’.

Search results in Google Scholar show two research articles by authors Yoshida, Yangzom, and Long on Meconopsis species discoveries.

Legendary Beasts


Text on a dark background reads: Legendary Beasts, 200, 1/3 attempts. It asks for an animal reference from a Reddit post, lowercase, one word.

This one requires us to have solved ‘Getting Started’, of course – now that we know the name of the domain (rewildingeurope.com), we have the information we need to find the post on Reddit.


Reddit, like many platforms, has its own search operators that can help us narrow down our results. We don’t need a Reddit account to use the operators.

Table with Google Advanced Search queries and descriptions. Blue headers: Query, Description. Text examples include inurl, site, filetype. OSINT Combine logo.

We can guess that the keyword ‘legendary’ appears somewhere in the post – perhaps in the title? And the domain is linked to as well. So, let’s use the ‘title’ and ‘site’ operators:


Search results for "site:rewildingeurope.com title:legendary" show a post about Rewilding Europe's efforts to revive Aurochs with a cattle image.

This will retrieve just one post, and we have our answer – our legendary beast is the Aurochs. Understanding advanced searching on different platforms is a key skill for OSINT investigators – not every platform will have its own unique searching language, but many do, and taking the time to familiarise yourself with search operators can allow you to conduct more efficient, targeted searching.


Shadow Fleet


Shadow Fleet game screen showing a report on a Panama-flagged oil tanker adrift in the Baltic Sea. Asks for a seven-digit IMO number.

Why, you might ask, are we interested in the movements of a crude oil tanker as part of an environmental OSINT capture-the-flag? Well, in 2022, the G7 imposed a price cap on Russian oil exports. Since then, Russia has been building a ‘shadow fleet’ of oil tankers – the goal is to obfuscate the Russian origins of the oil being transported, in order to evade the price cap and continue exporting oil.


Often, these vessels are old and badly maintained, which heightens the risk of oil spills. In December 2024, two ageing tankers from Russia’s shadow fleet, damaged during bad weather, caused an oil spill in the Kerch Strait. Identifying and regulating shadow fleet vessels – and potentially using publicly available information to link these vessels to Russian interests – may help to avoid further environmental disasters in the future.


For this question, we first need to identify the crude oil tanker mentioned – we’ll need the name of it for the next step. Let’s use Google’s datetime operator plus a few keywords to search for mentions of the tanker:


Google search bar showing query: crude oil tanker Baltic sea, between January 9 and 11, 2025. White background, black text.

Preview of a Newsweek article titled "Russian 'Shadow Fleet' Tanker With 99000 Tons of Oil." It describes a tanker drifting in the Baltic Sea.

There are several vessel tracking websites that will retrieve information based on a ship name.


As always, it’s useful to have several possible tools, rather than relying on just one – this helps with corroborating information and confirming that we have the correct answer. Try searching for the ship name across all three tools – are the results the same? Does one tool offer more context or information than the others?


Searching for ‘Eventin’ in Vessel Finder leads us to a crude oil tanker sailing under the Panama flag, and we can see its IMO in the vessel details:

Red and green crude oil tanker near large white storage tanks. Text shows vessel info, location in Baltic Sea, and flag of Panama.

Not So Smug Smuggler

"Dark-themed image with text 'Not So Smug Smuggler, 200, 1/3 attempts.' Describes a case of smuggling from Botswana to Mozambique."

In this challenge, we’re investigating sanctions data. While we tend to associate sanctions datasets with politically exposed individuals and rogue governments, sanctions data may also reveal information about individuals or groups involved in smuggling activities. As with most investigations of criminal activities, open-source intelligence can add value in understanding key locations, networks and methods of communication.


Poaching, smuggling and wildlife trafficking remain significant issues in the field of environmental protection. At the 2020 Australian OSINT Symposium, Anti-Money Laundering expert Todd Harland spoke about how OSINT has been used to investigate the illegal wildlife trade & focus on counter-poaching of elephants & rhinos (you can check out the presentation on the OSINT Combine Academy here)


Using corporate record look-ups, financial data and sanctions data to understand the supply chains of wildlife trafficking and poaching networks (which, in many cases, resemble legitimate business models!) allows authorities and law enforcement to understand the TTPs of bad actors.  


Open Sanctions is a great resource for looking up individuals and organisations who may be subject to international sanctions, or under investigation. It also allows keyword searching. In this case, we can pick out a few unique keywords to identify possible suspects:

OpenSanctions search result for "rhinoceros" showing two entries: Yun Kil (North Korea, South Africa) and Yi Kang Dae (North Korea). Pale blue background.

This retrieves two results, both North Korean individuals. One of them – Yi Kang Dae – is described as a reported intelligence official.


Icy

Text image titled "Icy 200" with details about a TikTok video of ice surging onto shore. Question asks the name of the river, answer in lowercase.

This challenge directs us to a TikTok video showing an ice flow surging across a river bank. The caption and comments do not specify the river in question. This is, of course, another geolocation question. We have a few options for helping to locate the river in question.


Option one: keyword searching – this may be the simplest approach, although we may need to trawl through a fair amount of content to find a mention of the exact location.

Google search bar with the text "ice surge from river" entered.

The phrase above does retrieve webpages with the correct event and the name of the river in question. However, it is not the top result – and depending on your location and search history, you might have quite a lot of scrolling to do!


Option two: reverse image searching. Because we’re working with a video, it’s helpful to extract frames that are most likely to yield success in a reverse image search. If a frame is blurry or doesn’t show enough of the subject, then a reverse image search might not yield any results at all. For key frame extraction and basic metadata analysis videos and images, we like the Fake news debunker by InVID & WeVerify extension, available here in the Chrome webstore.  


First, let's download a copy of the TikTok video by right-clicking and selecting ‘Download’.

Beach scene with rocky ice formations in the background. A menu with options reads: Download video, Send to friend, Copy link.

In the Fake News Debunker toolbox, select ‘Keyframes’ and then upload the saved .mp4 file to break out key frames for reverse image searching. (Note: you can also go directly to the Keyframe extraction service here: https://kse.idt.iti.gr/service/start.html)

Ice fragments on a sandy beach under a clear blue sky, shown in six keyframes. The mood is serene with no visible text.

Choose a clear keyframe, or the starting keyframe, and conduct a reverse image search to identify where else a video has been shared. This should reveal a number of results containing the name of the river in question (the Yenisei):

Chunks of ice are pushed ashore, creating an "ice tsunami" on a sandy beach under a clear blue sky.

Forest Pals

Quiz screen titled "Forest Pals" with a 200-point question about an orangutan story on the BOS website. Option to unlock hint.

This challenge requires us to venture back in time to a previous version of the website in question. Archives are a great source of information for OSINT investigations – they allow us to explore captures of domains without interacting directly with a website, which helps to minimise our digital footprint, and archived content may include information that has since been changed or deleted. Archive repositories include:

Our first step will be to identify the domain that we need to look for. A quick Google search should reveal a website associated with the Borneo Orangutan Survival Foundation: https://www.orangutan.or.id/


Now, let’s take a look at captures in the Wayback Machine from 2012. There are a number of captures available (keep in mind that some of these may be partial captures or redirects) – the easiest way to jump through each 2012 capture is using the timeline feature. In June 2012, we find a reference to ‘Fajar’, an orangutan telling a story:

Borneo Orangutan Survival Foundation logo with orangutan image; text reads "Fajar the Orangutan Tells a Story..." on a blurred green background.

Sneaky!

Sneaky! game screen shows a 200-point challenge about an Instagram post on Iceland's sneaker waves. Black background with white text.

A key skill for OSINT investigators is searching for and identifying content on social media. For dedicated SOCMINT (social media intelligence) activities, you may need to register for accounts on a platform. However, Google and other search engines index public content from most social media platforms, so we can often find what we’re looking for without requiring an account. For this challenge, the tricky part is crafting a search that is refined enough to retrieve the correct result. If our search is too broad, we’ll likely be inundated by other content, and trawling through the results will take extra time! So let’s craft a search targeting results from a single account:

Google search results showing Instagram posts about black sand beach sneaker waves in Iceland. Text includes "sneaker waves are no joke."

We can take a look at the post itself to find the timestamp:

People running from waves on a black sand beach in Iceland. Text reads "What NOT to do at black sand beach in Iceland." Overcast sky.

Hello Friend

Text on screen with a prompt for guessing an animal seen by user diego_caballero on 10 Dec 2024 for 300 points. Option to unlock hint.

Username correlation is another key OSINT skill. Understanding the social media footprint of an individual can give us unique insight into their hobbies, interests, behaviours, and pattern of life.

For this question, we’ll need to discover the platform on which this username exists. Google is, of course, always helpful—but not all platforms are indexed by search engines, and username checking websites can assist us in narrowing down our options.

Two username checking tools that you’ll find in our OSINT Bookmark stack are:

Let’s try our given username in Whatsmyname, which retrieves possible matches from hundreds of different platforms (including hobby and interest sites).

Search interface displaying username "diego_caballero" with category filters and search results on sites like Adobe and Duolingo.

One of our results is for the platform iNaturalist, which seems like a good lead! Let’s take a look at the account. iNaturalist allows us to view a calendar showing contributions, so we can navigate to the date given in the challenge:

December 2025 calendar with the 10th circled in red. The 25th is blue. Days are displayed in rows starting with Saturday.

And, sure enough, here is our answer:

Pampas Fox in grassy field, facing forward. Background: dry grass, green plant. Text: “Pampas Fox (Lycalopex gymnocercus) Research Grade.”

So, how did you go? Remember, there are usually multiple tools and techniques that can retrieve the correct answer, so your solutions might be a little different from ours, but we hope that A Walk on the Wild Side has let you stretch your OSINT skills and discover some new tradecraft. Keep an eye out for Part II, where we’ll walk through the solutions for the rest of the challenges.

bottom of page